Frederic Torres Blog: ASP.NET form authentication, cookie encryption and IIS7

With IIS7 the encryption key, to encrypte the ASP.NET form authentication cookie is by default
re-generated every time IIS start or every time the application process is recycled
(when the application pool is recycled). My guess is that IIS6 uses a static encryption key.

Thefore if your application is trying the decrypte a cookie saved before the last recycling
the method FormsAuthentication.Decrypt() will raise the following Exception

System.Security.Cryptography.CryptographicException: Padding is invalid and cannot be removed.
One solution is to add your own machine key in the web.config file in the section <system.web>.

<machinekey decryption="AES"
  decryptionkey="04BCBB3929F44DE6B7C0DD5C4A992A24E0E05565D5A718B59C3..." 
  validation="SHA1" 
  validationkey="40107878EFF79547946F85EE34808A7BDB9B7CB0EC2184029F1..."
>

You can google machinekey generator to find online application that will generate the xml for you:

http://www.developmentnow.com/articles/machinekey_generator.aspx
http://aspnetresources.com/tools/keycreator.aspx

Frederic Torres Blog

Thursday, January 6, 2011

ASP.NET form authentication, cookie encryption and IIS7

No comments:

Post a Comment

syntaxhighlighter