Forms Authentication issues

Discussion in 'ASP .Net' started by eric.olstad@gmail.com, Jan 31, 2006.

  1. Guest

    I'm pullin my hair out here. I've created a login page that uses Forms
    Authentication. Initially, it loads the types of authentication
    methods from a database and asks the user to select the auth method
    from a drop down list. Each method corresponds to an external module
    (assembly) that is loaded using reflection and accessed using a common
    interface. The modules work, I know that.

    The issues come after I log in. After logging in, I am redirected to
    the default page (Default.aspx). This is where it gets strange. I can
    refresh on the Default page about 4 times before it redirects me back
    to the login page (Login.aspx). Sometimes if I replace the URL in the
    address bar with Default, it will go back to Default as if I'm logged
    in. Other times it will do the expected behavior: forward me back to
    Login.aspx.

    When this happens (booted off of a page), I get one information message
    in the event log and one warning in the event log. The warning
    corresponds to a CryptographicException (far below) and the information
    message corresponds to an invalid ticket (directly below).

    I have the cookie timeout set to 30 minutes in the web.config. Any
    help would be greatly appreciated as I can't really continue with this
    project until this issue is resolved.


    Event code: 4005
    Event message: Forms authentication failed for the request. Reason: The
    ticket supplied was invalid.
    Event time: 1/31/2006 3:47:28 PM
    Event time (UTC): 1/31/2006 8:47:28 PM
    Event ID: 13db6007d24d4a42b635fce914756d0d
    Event sequence: 28
    Event occurrence: 19
    Event detail code: 50201

    Application information:
    Application domain:
    /LM/W3SVC/1164268374/Root/Admin-5-127832126614312052
    Trust level: Full
    Application Virtual Path: /Admin
    Application Path:
    D:\www\sites\scarletpage.rutgers.edu\development\Admin\
    Machine name:


    Request information:
    Request URL:
    Admin/WebResource.axd?d=0wPWHj8Z2UslFsHY3c7dcOptjvNTaWFmfaGPyzFuufw1&t=632701725152365642

    Request path: /Admin/WebResource.axd
    User host address: 128.6.213.34
    User:
    Is authenticated: False
    Authentication Type:
    Thread account name:


    -------------------------

    Event code: 3005
    Event message: An unhandled exception has occurred.
    Event time: 1/31/2006 3:47:28 PM
    Event time (UTC): 1/31/2006 8:47:28 PM
    Event ID: ca51ac0692ba4e1cb1ed55c3b74f800a
    Event sequence: 29
    Event occurrence: 4
    Event detail code: 0

    Application information:
    Application domain:
    /LM/W3SVC/1164268374/Root/Admin-5-127832126614312052
    Trust level: Full
    Application Virtual Path: <..>
    Application Path: <...>
    Machine name: <...>

    ....

    Exception information:
    Exception type: CryptographicException
    Exception message: Padding is invalid and cannot be removed.
    , Jan 31, 2006
    #1
    1. Advertising

  2. Eric,
    Are you able to replicate this issue if you just switch to "plain vanilla"
    Forms Authentication with no custom modules loaded via Reflection?
    Peter

    --
    Co-founder, Eggheadcafe.com developer portal:
    http://www.eggheadcafe.com
    UnBlog:
    http://petesbloggerama.blogspot.com




    "" wrote:

    > I'm pullin my hair out here. I've created a login page that uses Forms
    > Authentication. Initially, it loads the types of authentication
    > methods from a database and asks the user to select the auth method
    > from a drop down list. Each method corresponds to an external module
    > (assembly) that is loaded using reflection and accessed using a common
    > interface. The modules work, I know that.
    >
    > The issues come after I log in. After logging in, I am redirected to
    > the default page (Default.aspx). This is where it gets strange. I can
    > refresh on the Default page about 4 times before it redirects me back
    > to the login page (Login.aspx). Sometimes if I replace the URL in the
    > address bar with Default, it will go back to Default as if I'm logged
    > in. Other times it will do the expected behavior: forward me back to
    > Login.aspx.
    >
    > When this happens (booted off of a page), I get one information message
    > in the event log and one warning in the event log. The warning
    > corresponds to a CryptographicException (far below) and the information
    > message corresponds to an invalid ticket (directly below).
    >
    > I have the cookie timeout set to 30 minutes in the web.config. Any
    > help would be greatly appreciated as I can't really continue with this
    > project until this issue is resolved.
    >
    >
    > Event code: 4005
    > Event message: Forms authentication failed for the request. Reason: The
    > ticket supplied was invalid.
    > Event time: 1/31/2006 3:47:28 PM
    > Event time (UTC): 1/31/2006 8:47:28 PM
    > Event ID: 13db6007d24d4a42b635fce914756d0d
    > Event sequence: 28
    > Event occurrence: 19
    > Event detail code: 50201
    >
    > Application information:
    > Application domain:
    > /LM/W3SVC/1164268374/Root/Admin-5-127832126614312052
    > Trust level: Full
    > Application Virtual Path: /Admin
    > Application Path:
    > D:\www\sites\scarletpage.rutgers.edu\development\Admin\
    > Machine name:
    >
    >
    > Request information:
    > Request URL:
    > Admin/WebResource.axd?d=0wPWHj8Z2UslFsHY3c7dcOptjvNTaWFmfaGPyzFuufw1&t=632701725152365642
    >
    > Request path: /Admin/WebResource.axd
    > User host address: 128.6.213.34
    > User:
    > Is authenticated: False
    > Authentication Type:
    > Thread account name:
    >
    >
    > -------------------------
    >
    > Event code: 3005
    > Event message: An unhandled exception has occurred.
    > Event time: 1/31/2006 3:47:28 PM
    > Event time (UTC): 1/31/2006 8:47:28 PM
    > Event ID: ca51ac0692ba4e1cb1ed55c3b74f800a
    > Event sequence: 29
    > Event occurrence: 4
    > Event detail code: 0
    >
    > Application information:
    > Application domain:
    > /LM/W3SVC/1164268374/Root/Admin-5-127832126614312052
    > Trust level: Full
    > Application Virtual Path: <..>
    > Application Path: <...>
    > Machine name: <...>
    >
    > ....
    >
    > Exception information:
    > Exception type: CryptographicException
    > Exception message: Padding is invalid and cannot be removed.
    >
    >
    =?Utf-8?B?UGV0ZXIgQnJvbWJlcmcgW0MjIE1WUF0=?=, Jan 31, 2006
    #2
    1. Advertising

  3. Guest

    I don't know. The module authentication has been heavily tested and it
    works. Otherwise, I wouldn't be able to get past the login page.
    Basically, what I am doing is loading the module, calling its
    Authenticate(...) method (which returns a boolean) and then calling
    RedirectFromLoginPage(username, false). If the credentials fail, an
    error message is shown on the login page. If they succeed, I am
    successfully redirected to the next page which in this case is the
    Default.aspx.

    If I hit refresh on Default.aspx, sometimes it works and refreshes.
    Other times it will log me out and redirect me back to the login page.
    The events shown above appear in the event log on the server.

    I just tested something else... The Default.aspx is derived from a
    master page with a few images for the header and some text for the
    footer. There is an asp:LinkButton called LogOut that has a handler
    that calls FormsAuthentication.SignOut() and
    FormsAuthentication.RedirecToLoginPage(). Page_Load handler does
    nothing.

    What I noticed is that pages derived from the master page, when
    refreshed, throw the CryptographicException causing me to log out, but
    pages that are independent do not no matter how many times I refresh.

    Could it have something to do with the fact that the master pages are
    kept in another folder? I'm not familiar with the methods in which
    ASP.NET creates, encrypts and decrypts the authentication ticket (the
    cookie). Could that actually be causing the problem? And if so, what
    is the preferred way to do the master pages? I was told that Microsoft
    prefers the master pages to be kept in a seperate folder.
    , Feb 1, 2006
    #3
  4. Guest

    Ok, well that's not exactly the case either regarding the master pages.
    Because I have a web parts page not derived from any master page and
    when I play with the web parts, I get logged out in the same way with
    the CryptographicException being thrown. So I'm even more confused
    now...

    Stack trace: at
    System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte[]
    inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[]& outputBuffer,
    Int32 outputOffset, PaddingMode paddingMode, Boolean fLast)
    at
    System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[]
    inputBuffer, Int32 inputOffset, Int32 inputCount)
    at System.Security.Cryptography.CryptoStream.FlushFinalBlock()
    at
    System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean
    fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length,
    Boolean useValidationSymAlgo)
    at System.Web.UI.Page.DecryptString(String s)
    at
    System.Web.Handlers.AssemblyResourceLoader.System.Web.IHttpHandler.ProcessRequest(HttpContext
    context)
    at
    System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
    at System.Web.HttpApplication.ExecuteStep(IExecutionStep step,
    Boolean& completedSynchronously)
    , Feb 1, 2006
    #4
  5. Guest

    Also, even just refreshing the login page causes a
    CryptographicException to be thrown, but not the Invalid Ticket event.
    , Feb 1, 2006
    #5
  6. Guest

    Still haven't solved the problem, but I've tracked it down a little
    more.

    On the login page, simply hitting refresh raises the
    CryptographicException every once in a while. There are images on the
    login page (asp:Image) referencing images in a subdirectory like this:
    <asp:Image Name="..." ImageUrl="~/images/imagename.gif"
    runat="server"></asp:Image>

    I notice that when I remove the images from the login page and refresh
    as many times as I want, no CryptographicException appears in the event
    log. If the time between refreshes is long enough, I still get the
    Invalid Ticket event.

    So the CryptographicException has something to do with the images. Any
    ideas?
    , Feb 1, 2006
    #6
  7. Guest

    Still no solution, but I have run some tests and have uncovered some
    strange issues that I can't pin down to the source.

    In the images directory are a bunch of images. Some images, when
    loaded on the page, cause the app to kick me back to the login page
    when the page is refreshed. Others do not. So that confuses me to no
    end.

    Also, I have set up in the web.config a SqlPersonalizationProvider for
    WebParts. The WebParts page I have has no images on it, yet when I
    refresh that page, I get punted back to the login page with the Invalid
    ticket message showing up in the event log.
    , Feb 2, 2006
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Eric
    Replies:
    2
    Views:
    1,457
    Tommy
    Feb 13, 2004
  2. JEFF
    Replies:
    1
    Views:
    1,013
    =?Utf-8?B?YnJpYW5zW01DU0Rd?=
    Nov 12, 2007
  3. Larry
    Replies:
    2
    Views:
    158
    Yan-Hong Huang[MSFT]
    Jul 30, 2003
  4. Keltex
    Replies:
    1
    Views:
    395
    Dominick Baier [DevelopMentor]
    Jan 24, 2006
  5. Eric
    Replies:
    2
    Views:
    498
Loading...

Share This Page