Reading cookie value : Using URL Rewrite Provider module - Unable to validate at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData

Question

I have requirement to append USERNAME to the URL in server side using URL Rewrite module.

Why?: I have website site1, when USER logs in to site1, he will see a link to site2., This link is URL or reports. (Tableau). Authenticated ticket has been created using FormAuthentication in site1. When USER clicks the link, authenticated username should be passed to site2.

I could append username from client side, but due to security issues I have to append username to URL in server side before it gets executed.

So I have decided to use URL rewrite provider, which grabs the username by decrypting the cookie value as shown below

     namespace PlatformAnalysisUrlProvider.PlatformAnalysisProvider
      {
       class AnalysisRewriteProvider: IRewriteProvider, IProviderDescriptor
       {
          public void Initialize(IDictionary<string, string> settings,
                                 IRewriteContext rewriteContext)
          {

          }

          public string Rewrite(string value)
          {
             string[] cookievalues = value.Spli('=');
             FormAuthentication ticket = FormAuthentication.Decrypt(cookievalues[1]);

              //Decrypt throws error as shown below
          } 
       }
      }

Cookie Values

        cookievalues [0] =  has the key

        cookievalues [1] =  has the value 

Example:

        233AWJDKSHFHFDSHFJKDFDKJFHDKJFKDJFHDHFDHFKJHDFKJHDFJHDKJFHDSKJFHDF

It's a cookie value. But decrypt is not happening

I am getting following error

        Unable to validate data.
        at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(
        Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, 
        Int32 length, IVType ivType, Boolean useValidationSymAlgo, 
        Boolean signData)

Here is my settings in IIS for URL Rewrite

• Requested URL: Matches the Patterns
• Using: Regular Expression
• Ignore Case - Checked
• Conditions - Input : {HTTP_COOKIE} Type : Matches the Pattern Pattern : .*
• Action Type - Rewrite
• Rewrite URL - http://11.155.011.123{HTTP_URL}&USERNAME={PlatformAnalysisUrlProvider:{C:0}}

I have also set up MACHINE KEY as suggested by this forum

I have referred this post for development

One of the stack overflow post suggested that it might be firewall or antivirus issue. But I do not have antivirus installed or firwall enabled.

It really helps if someone direct me to code sample where web site hosted in IIS and URL Rewrite provider is used.

Updating Error Log

MODULE_SET_RESPONSE_ERROR_STATUS Notification - "PRE_BEGIN_REQUEST" HttpReason - "URL Rewrite Module Error"

Updating post with Machine Key Info

     <MachineKey Description="AES" validation="SHA1"
      descriptionKey="******"
      validationKey="******" CompatibilityMode="Framework20SP2">

Reason May be - The website where cookie getting created is developed using .NET Framework 4.5. The provider where we reading the cookie is Framework 3.5. Is this may be the cause? OR Do we need config file for Provider project?

Updates - I have added machine key to Machine.config , but it still did not work :(

Alternative Solution

• Add App.config to class Library

   <?xml version="1.0" encoding="utf-8" ?>
   <configuration>
   <appSettings>
   <!-- ... -->
      <add key="SecurityKey" value="somevalue"/>
   <!-- ... -->
   </appSettings>
   </configuration>
  

• Copy config to GAC Follow this blog - http://techphile.blogspot.in/2007/02/2.html

• Encrypt the value (refer here) and create custom cookie during Login

• Use the Decrption logic inside custom rewrite provider

Answer 1

The good thing about this is that the error is a general decryption error and not one with URL Rewrite itself, so that gives you a wider area to search for help. The mechanics of URL Rewrite seem to be right.

Decrypting means that it must be encrypted by the same method as you're decrypting it. So it has to be the right cookie and the right decryption method.

Since you're not checking which cookie that you're reading from, you could get unexpected results if the wrong cookie is first in the list of cookies.

Here are some steps that I recommend to troubleshoot this:

• Create a simple URL Rewrite rule that will give you the value of your cookie. I created a rule to do that in my example below. You can test it by going to yoursite.com/getcookie. It should redirect to yoursite.com/?Cookie={cookievalue}
• Then you can test your code outside of the URL Rewrite provider. You can create a simple console app or winforms app to test the rest of the code.
• I recommend adding a check for the existence of the cookie and then a check again for the 2nd value. For example: if (cookievalues[1] != null).
• When developing the decryption method, you don't have to worry about URL Rewrite. As long as it works in a test app in .NET then you should be set.

<rule name="Get cookie value" stopProcessing="true">
    <match url="^getcookie" />
    <action type="Redirect" url="/?Cookie={HTTP_COOKIE}" appendQueryString="false" redirectType="Found" />
</rule>