asp.netiis-6forms-authenticationformsauthenticationformsauthenticationticket

What inputs go into encrypting / creating an ASP.NET Forms Authentication Ticket?


Everything I read points to the MachineKey element in the web.config file being the only thing that determines the encrypted ticket value, but I have a lot of evidence to contradict that at the moment.

So my question is: what can make the ticket encryption value (particularly the length) different, given that the machine key and the data inside the ticket is identical?

EDIT

We are seeing the changes in the value as a result of timestamps. However in one of the environments the created values themselves are much shorter. Two of the sites (.NET 4, MVC2/3) cope with it just fine. A .NET 2.0 / WebForms site, however, can't decrypt it with the same machine key.


Solution

  • So, while the MachineKey and encryption algorithm do decide the encrypted value produced, we have confirmed that there are definitely patches that can affect machine key encryption / decription.

    This became evident when half of our web farm was patched, which produced encrypted tickets of different lengths than the others. It was a large set of patches, so we were unable to determine the exact patch that caused the different behavior.

    So...if anyone else experiences this very strange behavior, make sure you compare the patches and hotfixes applied to each server when troubleshooting.