Forms Authentication issues

[eric.olstad]

I'm pullin my hair out here. I've created a login page that uses Forms
Authentication. Initially, it loads the types of authentication
methods from a database and asks the user to select the auth method
from a drop down list. Each method corresponds to an external module
(assembly) that is loaded using reflection and accessed using a common
interface. The modules work, I know that.

The issues come after I log in. After logging in, I am redirected to
the default page (Default.aspx). This is where it gets strange. I can
refresh on the Default page about 4 times before it redirects me back
to the login page (Login.aspx). Sometimes if I replace the URL in the
address bar with Default, it will go back to Default as if I'm logged
in. Other times it will do the expected behavior: forward me back to
Login.aspx.

When this happens (booted off of a page), I get one information message
in the event log and one warning in the event log. The warning
corresponds to a CryptographicException (far below) and the information
message corresponds to an invalid ticket (directly below).

I have the cookie timeout set to 30 minutes in the web.config. Any
help would be greatly appreciated as I can't really continue with this
project until this issue is resolved.


Event code: 4005
Event message: Forms authentication failed for the request. Reason: The
ticket supplied was invalid.
Event time: 1/31/2006 3:47:28 PM
Event time (UTC): 1/31/2006 8:47:28 PM
Event ID: 13db6007d24d4a42b635fce914756d0d
Event sequence: 28
Event occurrence: 19
Event detail code: 50201

Application information:
Application domain:
/LM/W3SVC/1164268374/Root/Admin-5-127832126614312052
Trust level: Full
Application Virtual Path: /Admin
Application Path:
D:\www\sites\scarletpage.rutgers.edu\development\Admin\
Machine name:


Request information:
Request URL:
Admin/WebResource.axd?d=0wPWHj8Z2UslFsHY3c7dcOptjvNTaWFmfaGPyzFuufw1&t=632701725152365642

Request path: /Admin/WebResource.axd
User host address: 128.6.213.34
User:
Is authenticated: False
Authentication Type:
Thread account name:


-------------------------

Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 1/31/2006 3:47:28 PM
Event time (UTC): 1/31/2006 8:47:28 PM
Event ID: ca51ac0692ba4e1cb1ed55c3b74f800a
Event sequence: 29
Event occurrence: 4
Event detail code: 0

Application information:
Application domain:
/LM/W3SVC/1164268374/Root/Admin-5-127832126614312052
Trust level: Full
Application Virtual Path: <..>
Application Path: <...>
Machine name: <...>

....

Exception information:
Exception type: CryptographicException
Exception message: Padding is invalid and cannot be removed.

 

[Guest]

Eric,
Are you able to replicate this issue if you just switch to "plain vanilla"
Forms Authentication with no custom modules loaded via Reflection?
Peter

--
Co-founder, Eggheadcafe.com developer portal:
http://www.eggheadcafe.com
UnBlog:
http://petesbloggerama.blogspot.com

 

[eric.olstad]

I don't know. The module authentication has been heavily tested and it
works. Otherwise, I wouldn't be able to get past the login page.
Basically, what I am doing is loading the module, calling its
Authenticate(...) method (which returns a boolean) and then calling
RedirectFromLoginPage(username, false). If the credentials fail, an
error message is shown on the login page. If they succeed, I am
successfully redirected to the next page which in this case is the
Default.aspx.

If I hit refresh on Default.aspx, sometimes it works and refreshes.
Other times it will log me out and redirect me back to the login page.
The events shown above appear in the event log on the server.

I just tested something else... The Default.aspx is derived from a
master page with a few images for the header and some text for the
footer. There is an asp:LinkButton called LogOut that has a handler
that calls FormsAuthentication.SignOut() and
FormsAuthentication.RedirecToLoginPage(). Page_Load handler does
nothing.

What I noticed is that pages derived from the master page, when
refreshed, throw the CryptographicException causing me to log out, but
pages that are independent do not no matter how many times I refresh.

Could it have something to do with the fact that the master pages are
kept in another folder? I'm not familiar with the methods in which
ASP.NET creates, encrypts and decrypts the authentication ticket (the
cookie). Could that actually be causing the problem? And if so, what
is the preferred way to do the master pages? I was told that Microsoft
prefers the master pages to be kept in a seperate folder.

 

[eric.olstad]

Ok, well that's not exactly the case either regarding the master pages.
Because I have a web parts page not derived from any master page and
when I play with the web parts, I get logged out in the same way with
the CryptographicException being thrown. So I'm even more confused
now...

Stack trace: at
System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte[]
inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[]& outputBuffer,
Int32 outputOffset, PaddingMode paddingMode, Boolean fLast)
at
System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[]
inputBuffer, Int32 inputOffset, Int32 inputCount)
at System.Security.Cryptography.CryptoStream.FlushFinalBlock()
at
System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean
fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length,
Boolean useValidationSymAlgo)
at System.Web.UI.Page.DecryptString(String s)
at
System.Web.Handlers.AssemblyResourceLoader.System.Web.IHttpHandler.ProcessRequest(HttpContext
context)
at
System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step,
Boolean& completedSynchronously)

 

[eric.olstad]

Also, even just refreshing the login page causes a
CryptographicException to be thrown, but not the Invalid Ticket event.

 

[eric.olstad]

Still haven't solved the problem, but I've tracked it down a little
more.

On the login page, simply hitting refresh raises the
CryptographicException every once in a while. There are images on the
login page (asp:Image) referencing images in a subdirectory like this:
<asp:Image Name="..." ImageUrl="~/images/imagename.gif"
runat="server"></asp:Image>

I notice that when I remove the images from the login page and refresh
as many times as I want, no CryptographicException appears in the event
log. If the time between refreshes is long enough, I still get the
Invalid Ticket event.

So the CryptographicException has something to do with the images. Any
ideas?

 

[eric.olstad]

Still no solution, but I have run some tests and have uncovered some
strange issues that I can't pin down to the source.

In the images directory are a bunch of images. Some images, when
loaded on the page, cause the app to kick me back to the login page
when the page is refreshed. Others do not. So that confuses me to no
end.

Also, I have set up in the web.config a SqlPersonalizationProvider for
WebParts. The WebParts page I have has no images on it, yet when I
refresh that page, I get punted back to the login page with the Invalid
ticket message showing up in the event log.