asp.net forms authentication ticket tampered but still works
https://stackoverflow.com/questions/8635965
-
30-03-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I generate a forms auth ticket with some user data, encrypt and send it to my client all using the standard .net Api. Everything works except for one small problem. If i replace the 0 in the auth ticket with an alphabet between G and Z (caps), it still works - it decrypts fine and i get all my userdata and everything from the auth ticket. This is not supposed to happen right? Even a small change in the auth ticket should make the decryption not work right? Any other change would ensure that the ticket doesn't decrypt and will throw exception.
La solution
I guess the ticket is serialized as hex characters, if it reads a char that represents a valid hex char (0 - 9, A - F) it converts accordingly and add it to the decryption stream, if it finds anything else it converts to 0.
I'm not claiming that this now it actually works...
