Invalid value for encryptedTicket parameter

Question

I recently modified the login for my companies eComm site to have a "Keep me logged in" feature. The primary change was to make the forms authentication cookie persistent for these users.

After the change was released I started seeing this exeception in my logs:

Invalid value for 'encryptedTicket' parameter
at System.Web.Security.FormsAuthentication.Decrypt(String encryptedTicket)

The problem seems to be user agent specific. The only user agents the error has been recorded for are:

• Mozilla/5.0 (iPad; U; CPU OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5

• eTailInsights Tag Identifier/1.0

I have an iPad with the configuration listed above. The first login attempt works. But closing the browser and going back to the site, thus using the persistent cookie, causes the error.

The behavior is also inconsistent across environments. It works fine against my local machine and test server, but fails on production. Which makes it difficult to troubleshoot.

Other versions of iOS/Safari can login fine.

Searching for this error turned up several references to a problem with web forms and newer browser versions. This does not seem consistent with my scenario though. I'm not seeing errors for new browsers and my site is MVC.

I found one question similar to mine, but with no answer.

Anybody know what is happening here?

Answer 1

What I found out is that for some reason the cookie can get an inconsistent value. For us it was only some users, in some situations.

Better than raising an error i just propose to log the user out in case of the argumentexception. It doesn't explain the "why", is not completely satisfying (in some ways the "remember me" won't work for some users...) but at least it may keep a normal behavior for the user.

In global.asax:

 protected void Application_PostAuthenticateRequest(object sender, EventArgs e)
    {
        HttpCookie authCookie = Request.Cookies[FormsAuthentication.FormsCookieName];

        if (authCookie != null)
        {
            try
            {
                var authTicket = FormsAuthentication.Decrypt(authCookie.Value);

                //...
                //setting user properties with cookie...
                //...
            }
            catch (ArgumentException ex)
            {
                FormsAuthentication.SignOut();
                Response.Redirect("/");
            }
        }
    }

Not even sure the redirect is needed (would have to check).

Hope this helps

Answer 2

You might have the same error when the length of the ticket you're trying to deserialize is too long.