Last post Jun 02, 2006 12:14 AM by rlp2600
May 26, 2006 05:24 AM|ErikCO|LINK
My application has the following authentication process: It uses Forms authentication, with the loginUrl pointing to a different (ASP.NET 1.1) application which only handles logins. This application validates the user's name+password, and if valid, sets
the authentication cookie (with a name both apps know) and redirects to my application.
In my Application_AuthenticateRequest event, I read the cookie and set the Context.User:
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
HttpCookie cookie = Request.Cookies.Get(FormsAuthentication.FormsCookieName);
if (cookie != null && cookie.Values["theEncryptedTicket"] != null)
FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(cookie.Values["theEncryptedTicket"]);
CustomIdentity identity = new CustomIdentity(ticket);
CustomPrincipal principal = new CustomPrincipal(identity);
Context.User = principal;
catch (Exception ex)
// log the exception
This all works fine with my app running ASP.NET 1.1, but now I want to convert it to ASP.NET 2.0 (but the authentication app is still running 1.1; converting it is not an option). The problem I encounter is that now, Request.Cookies.Get(FormsAuthentication.FormsCookieName)
returns null, even though I can still see this cookie on the client-side. It appears that ASP.NET 2.0 (or IIS?) is stripping my cookie from the request. How or where can I get the info from my cookie back?
I did some more testing and found that if I declare a fake cookie name in my Web.config authentication forms name attribute and the look for the cookie with the name I know it to have then I do find the cookie. However, I then get an exception on the Decrypt
System.Security.Cryptography.CryptographicException: Padding is invalid and cannot be removed.
This seems very strange, because both the authentication app and my app have the same machineKey setting in their Web.config, with validationKey and decryptionKey, and validation="SHA1".
Any help on either of these problems would be greatly appreciated!
Jun 02, 2006 12:14 AM|rlp2600|LINK
Not an expert, but I had a similar problem w/ the authentication cookie being stripped from the Cookies collection. My guess is that the framework tries to extract the auth. ticket before AuthenticateRequest fires, and in my case it failed because my cookie
is multivalued (like yours).
Try moving your logic from Application_AuthenticateRequest to FormsAuthentication_OnAuthenticate. The cookie should be in Cookies, where you can access it and extract the auth. ticket, set up the Principal, etc.
Also, I believe Scott Gu suggested setting the "machinekey" element's "decryption" attribute to "3DES" for compatibility w/ ASP.NET 1.1 (default is "AES" in v2.0).
Hope this helps.