BinaryFormatter Serialize Produces Different Results

Question

Within my application's Authentication code, using FormsAuthentication to handle the most intricate pieces, I've narrowed the possible culprits to an environment issue on certain machines running the application to BinaryFormatter.

On some machines the auth process completes properly and my users are logged in. On others, however, the BinaryFormatter produces separate results from the same inputs (virtually identical, unless I'm missing something), thus breaking the auth process and users can never log in.

In the correct environment, it produces a serialized string with a length of about 373. In the bad environment, the serialized string produced is 5,024. Herein lies the problem.

Here's how the code is being run:

var formatter = new BinaryFormatter();
var buffer = new MemoryStream();

formatter.Serialize(buffer, HttpContext.Current.User);

This in turn mucks up the rest of the authentication process, because it essentially creates a cookie with about 40,000+ bytes of data, which never creates a cookie (needs to be 4,096 bytes or less to be accepted by the browser).

My question, and it's not easily testable (tell me about it) - what could be different between the two machines to cause serialization differences? Both are being developed on Windows 7 in Visual Studio and running on the built-in Cassini server, but are there other common gotchas that would make Serialize return such vastly different results?

Answer 1

A coworker of mine came across this, and it seems that the issue is indeed in the serializer:

I tried using ASP.NET role-based authroization and need to generate cookie for roles into client browser. When I upraded .NET framework form v4.0 to v4.5. The cookie is no longer generated. After testing and checking, I found it's because the string text returned by RolePrincipal.ToEncryptedTicket() is 10 times longer than before, the least one is larger than the max cookie length 4,096. That's why RoleManagerModule fails to generate the cookie for asp.net roles. When I uninstalled .NET framework 4.5 and re-installed v4.0, it becomes to normal case again. Cookie for roles appear again in client browser

[ Src: http://connect.microsoft.com/VisualStudio/feedback/details/759157/net-4-5-binaryformatter-serialization-generates-too-long-string ]

Also on that page is a response from Microsoft saying they looked into it (the page is a bug report) and they marked it as resolved because this was by design.

Removing .NET 4.5 and 4.0 and then re-installing 4.0 worked for me - for the time being my application runs properly, and I'm going to look into re-working the auth piece to side-step this issue, so it can move forward onto the 4.5 framework in the future.