I am working on a custom SSO solution and running into some problems with FormsAuthentication.Encrypt and FormsAuthentication.Decrypt.
When a user is authenticated in my HttpModule I build up a FormsAuthenticationTicket object, encrypting it with FormsAuthentication.Encrypt and setting it on the Response. Then on subsequent calls on my site, I get the cookie value and call FormsAuthentication.Decrypt. If you have a token there for a valid user I pass you through without requiring reauthentication.
I have set a static MachineKey in my Web.configs.
The issue is that for certain pages the Decrypt method is failing for some .css and .js files (though not all, and not for the brunt of the application), with an InvalidEncryptedTicket error.
Anyone have any idea what would cause this?
//Encryption on successful authentication
FormsAuthenticationTicket fmaTicket = new FormsAuthenticationTicket(0, ticket.TicketValue.ToString(), DateTime.Now,
DateTime.Now + new TimeSpan(0, 0, 20, 0), false, ticket.Principal);
authCookie = new HttpCookie("AUTHTICKET", FormsAuthentication.Encrypt(fmaTicket));
//Decryption when cookie is present
FormsAuthenticationTicket authTicket = FormsAuthentication.Decrypt(authCookie.Value);
I switched this to use Rijindel Managed encryption classes (http://msdn.microsoft.com/en-us/library/system.security.cryptography.rijndaelmanaged.aspx) instead of the FormsAuthentication Encrypt and Decrypt and had no more issues.