Getting "not a valid Base-64 string" on federated identity token

Question

I am randomly getting a base 64 encoding error when browsing my mvc3 azure web role. I am using WIF with passive authentication to authenticate against my ADFS server. I have not be able to isolate where this is coming from, but I have an idea and am hoping for some feedback/help.

From the call stack it looks like it's coming from a bad cookie. The "FedAuth" cookies from wif/adfs are the only thing that show up when i look at my cookies from the chrome developer console. So I am thinking that somehow these cookies are getting corrupted or have invalid characters in them. I am working on verifying this but since the error happens randomly it's taking some time. Has anyone experienced anything similar or have any inclinations as to what could be causing this? Any help is appreciated!

Here is the exception:

The input is not a valid Base-64 string as it contains a non-base 64 character, more      than two padding characters, or a non-white space character among the padding characters.
[FormatException: The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or a non-white space character among the padding characters. ]
   System.Convert.FromBase64String(String s) +0
   Microsoft.IdentityModel.Web.ChunkedCookieHandler.ReadInternal(String name, HttpCookieCollection requestCookies) +613
   Microsoft.IdentityModel.Web.ChunkedCookieHandler.ReadCore(String name, HttpContext context) +174
   Microsoft.IdentityModel.Web.CookieHandler.Read(String name, HttpContext context) +133
   Microsoft.IdentityModel.Web.CookieHandler.Read(HttpContext context) +59
   Microsoft.IdentityModel.Web.CookieHandler.Read() +65
   Microsoft.IdentityModel.Web.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken) +84
   Microsoft.IdentityModel.Web.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +119
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +270

I've been doing some more testing on my cookies and I can see that with every request that my fedauth cookie gets bigger and bigger. This could be part or all of the problem. Eventually, and randomly something is appending some bad characters. The token ends with these closeing tags "". I can see that it fails when some extra characters show up after the security context token close tag. The extra characters are different every time the error happens.

Answer 1

Figured it out. Opps... programmer error...

When users first log into my application I pull some role information from my database and create claims for them. I was re-adding these claims every time, so my session token was growing... and growing... eventually this was causing the token to split over 2, 3, 4, 5, 6 cookies and eventually something was just choking on this. I am no longer adding the claims every time. No longer seeing this issue.

Thanks for all your help.

Answer 2

I had a similar error message using base64 to encode parameters in a query string, I had a %3d which showed fine in the query string, but asp.net was converting it to an = sign when I retreived it in code. I solved it by calling Server.UrlEncode() before decrypting the base64. It could be the base64 value in the cookie is being decoded before being decrypted.