Thursday, January 6, 2011

ASP.NET form authentication, cookie encryption and IIS7

With IIS7 the encryption key, to encrypte the ASP.NET form authentication cookie is by default
re-generated every time IIS start or every time the application process is recycled
(when the application pool is recycled). My guess is that IIS6 uses a static encryption key.

Thefore if your application is trying the decrypte a cookie saved before the last recycling
the method FormsAuthentication.Decrypt() will raise the following Exception

    System.Security.Cryptography.CryptographicException: Padding is invalid and cannot be removed.
One solution is to add your own machine key in the web.config file in the section <system.web>.

<machinekey decryption="AES"

You can google machinekey generator to find online application that will generate the xml for you:

No comments:

Post a Comment