'Saved an unreadable FormsAuthenticationTicket. Any way to clear from server side?

When a user logs into our site, a FormsAuthenticationTicket is created. Recently, we made a change to add an encrypted string as part of the ticket's name. Turns out, certain strings when encrypted became unreadable by IIS and when an effected user logs in this error is thrown:

System.ArgumentException: Value does not fall within the expected range.

Stack Trace: [ArgumentException: Value does not fall within the expected range.] System.Web.Hosting.IIS7WorkerRequest.SetPrincipal(IPrincipal user) +11710943 System.Web.Security.FormsAuthenticationModule.OnAuthenticate(FormsAuthenticationEventArgs e) +379 System.Web.Security.FormsAuthenticationModule.OnEnter(Object source, EventArgs eventArgs) +102 System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +142 System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) +75 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +93

The issue was patched, however effected users needed to clear their ASPXAUTH cookie to be able to login again. We don't know how many users were affected. However, we'd like to be able to let them log in again without clearing cookies.

I've tried several solutions to invalidate the session token server side, but without any success. I added code to Global.asax to try to catch it before it errors, however the error seems to be coming from IIS, before it even hits our code. While debugging, it never hits any breakpoints in Global.asax before the error pops up. I've tried with the methods: Application_AuthenticateRequest Application_AcquireRequestState Session_OnStart Application_Start

I was going to attempt a solution similar to the one found here:

https://www.jitbit.com/alexblog/282-invalidating-aspnet-forms-authentication-tickets-server-side/

And just invalidate tokens older than the date of the hotfix. But it seems that I can't check the date of the ticket if IIS throws an error when trying to read it.

We save our session tokens in a database. I tried clearing those out on our test server and even that didn't resolve it. Edit: I also tried recycling the app pool, moving to another app pool, and doing an iisreset.

Is there some way to tell the client browser to throw out a cookie? The code based solutions I've tried haven't worked, so is there a way to do it from IIS? Or maybe to catch the error before it gets to the client and invalidate the token?

asp.netiisformsauthenticationticket


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

Passing data from database containing new line breaks jquery

Creating .ICS files, adding to outlook

ASP.NET: HTTP Error 500.19 – Internal Server Error 0x8007000d

The configuration section cannot contain a CDATA or text element

Attempting to make enter button 'clickable'

automapper map interface to interface or object

How to show or hide contents of an aspx page based on current user's roles

The server response was: 5.7.0 Must issue a STARTTLS command first. i16sm1806350pag.18 - gsmtp

IIS 8.0 Detailed 500.0 Internal Server Error - IsapiModule Not Found

EntityDataSource - how to do WHERE Clause from different table

No authentication handler is registered for the scheme 'Cookies'. The registered schemes are: Application, Bearer, ASOS

How to use jquery in ASP.​NET Core

Create HTML table from a list

How to change Text of button in FileUpload control and set value to textbox

How to add project reference to ASP.NET Core 1.0 MVC project