I want to pass the authentication cookie from my ASP.Net MVC 5 (.Net 4.5.1, hosted locally on iisexpress, run from Visual Studio) to my WCF Service (.Net 4.5.1, hosted locally on WcfSvcHost, run from same Visual Studio Solution) and decrypt it there. I have configured both to use the same machinekey (Web.config for ASP, App.config for WCF):
<machineKey validationKey="930681CA8CDC1BC09118D6B37E4A1B7712CEDBBD9FA1E35407EA1CD440C7E6F2DB9E93DADAC4098F90ACC7417DBE57C196722FC67F313A6AAE0F946E2FF731B6" decryptionKey="714C9581DA522C636B2D97D80276D5ACC02C274A11ABF117C76181B0480D4AEA" validation="SHA1" decryption="AES" />
Both reference the Same System.Web.dll:
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.5.1\System.Web.dll (v4.0.30319)
But when i try to pass the cookieString to my Service and call
FormsAuthenticationTicket tick = FormsAuthentication.Decrypt(cookieString);
I get the Following Error:
Unable to validate data
I tried it the other way around (generate a fake ticket on WCF service and decrypt on ASP website), which did not work either. I can generate a ticket on the ASP website and decrypt it there just fine. I can also generate a ticket on the Service and decrypt it there without any problems.
var t1 = new FormsAuthenticationTicket("foo", false, 1337);
var cookie = FormsAuthentication.Encrypt(t1);
var t2 = FormsAuthentication.Decrypt(cookie);
I also made a small Console app, created a ticket there and decrypted it on the WCF service without any problems.
So it seems like the ASP Website does not use the specified keys to encrypt or decrypt the data.
Does anyone know what i can do to solve this problem?
EDIT: I followed this guide to obtain the cookie and pass it to my service. http://thoughtorientedarchitecture.blogspot.de/2009/10/flowing-aspnet-forms-authentication.html
However as i said i tried copying the value of the encrypted cookie and decrypt it in a simple console app with the same machinekey and it did not work.
You also asked this at http://forums.asp.net/p/1956219/5581762.aspx. See my answer there:
In the WCF service, set <machineKey ... compatibilityMode="Framework45" />. This will cause it to use the same algorithm as ASP.NET.
(Also remember to change your machine key if you inadvertently copied & pasted your real key into the question above.)
Levi answered my question over here: http://forums.asp.net/t/1956219.aspx.
Adding will infer compatibilityMode="Framework45" to the machineKey section.
So to fix this bug, either add compatibilityMode="Framework45" to the machineKey section or add to the system.web section of your web.config of your ASP website.
I think you should do something like
var authCookie = FormsAuthentication.GetAuthCookie(userName, rememberUser.Checked);
// Get the FormsAuthenticationTicket out of the encrypted cookie
var ticket = FormsAuthentication.Decrypt(authCookie.Value);
// Create a new FormsAuthenticationTicket that includes our custom User Data
var newTicket = new FormsAuthenticationTicket(ticket.Version, ticket.Name, ticket.IssueDate, ticket.Expiration, ticket.IsPersistent, "userData");
// Update the authCookie's Value to use the encrypted version of newTicket
authCookie.Value = FormsAuthentication.Encrypt(newTicket);
来源:https://stackoverflow.com/questions/20516255/asp-website-does-not-seem-to-use-machinekey-in-web-config-for-formsauthenticatio