ASP Website does not seem to use machineKey in Web.Config for FormsAuthentication.Decrypt

9.4k views Asked by At

I want to pass the authentication cookie from my ASP.Net MVC 5 (.Net 4.5.1, hosted locally on iisexpress, run from Visual Studio) to my WCF Service (.Net 4.5.1, hosted locally on WcfSvcHost, run from same Visual Studio Solution) and decrypt it there. I have configured both to use the same machinekey (Web.config for ASP, App.config for WCF):

<machineKey validationKey="930681CA8CDC1BC09118D6B37E4A1B7712CEDBBD9FA1E35407EA1CD440C7E6F2DB9E93DADAC4098F90ACC7417DBE57C196722FC67F313A6AAE0F946E2FF731B6" decryptionKey="714C9581DA522C636B2D97D80276D5ACC02C274A11ABF117C76181B0480D4AEA" validation="SHA1" decryption="AES" />

Both reference the Same System.Web.dll:

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.5.1\System.Web.dll (v4.0.30319)

But when i try to pass the cookieString to my Service and call

FormsAuthenticationTicket tick = FormsAuthentication.Decrypt(cookieString);

I get the Following Error:

Unable to validate data

I tried it the other way around (generate a fake ticket on WCF service and decrypt on ASP website), which did not work either. I can generate a ticket on the ASP website and decrypt it there just fine. I can also generate a ticket on the Service and decrypt it there without any problems.

var t1 = new FormsAuthenticationTicket("foo", false, 1337);
var cookie = FormsAuthentication.Encrypt(t1);
var t2 = FormsAuthentication.Decrypt(cookie);

I also made a small Console app, created a ticket there and decrypted it on the WCF service without any problems.

So it seems like the ASP Website does not use the specified keys to encrypt or decrypt the data.

Does anyone know what i can do to solve this problem?

EDIT: I followed this guide to obtain the cookie and pass it to my service. http://thoughtorientedarchitecture.blogspot.de/2009/10/flowing-aspnet-forms-authentication.html

However as i said i tried copying the value of the encrypted cookie and decrypt it in a simple console app with the same machinekey and it did not work.

3

There are 3 answers

3
wertzui On BEST ANSWER

Levi answered my question over here: http://forums.asp.net/t/1956219.aspx.

Adding will infer compatibilityMode="Framework45" to the machineKey section.

So to fix this bug, either add compatibilityMode="Framework45" to the machineKey section or add to the system.web section of your web.config of your ASP website.

1
thangchung On

I think you should do something like

var authCookie = FormsAuthentication.GetAuthCookie(userName, rememberUser.Checked);
// Get the FormsAuthenticationTicket out of the encrypted cookie
var ticket = FormsAuthentication.Decrypt(authCookie.Value);
// Create a new FormsAuthenticationTicket that includes our custom User Data
var newTicket = new FormsAuthenticationTicket(ticket.Version, ticket.Name, ticket.IssueDate, ticket.Expiration, ticket.IsPersistent, "userData");
// Update the authCookie's Value to use the encrypted version of newTicket
authCookie.Value = FormsAuthentication.Encrypt(newTicket);
1
Levi On

You also asked this at http://forums.asp.net/p/1956219/5581762.aspx. See my answer there:

In the WCF service, set <machineKey ... compatibilityMode="Framework45" />. This will cause it to use the same algorithm as ASP.NET.

(Also remember to change your machine key if you inadvertently copied & pasted your real key into the question above.)