Length of the cookie text for caching RolePrincipal is always larger than 4096

Question

I tried implementation ASP.NET role-based authorization for my project, but I never found cookie is saved in client browser. I tried some testing code like,

RolePrincipal rolePrincipal = new RolePrincipal(new GenericIdentity("a"));
string text1 = rolePrincipal.ToEncryptedTicket();

There's no roles in this such simple RolePrincipal object and Roles.CookieProtectionValue is set to 'none'. However the length of text1 is 4,688 which is larger than 4,096, so it fails to push the cookie into client browser.

It does not make sense otherwise it's not possible to use cookie to cache the roles.

What's wrong with it?

Thanks

Here's related sections in web.config

<authentication mode="Forms">
  <forms loginUrl="~/Account/LogOn" timeout="2880" name=".TestAUTH"/>
</authentication>
<membership>
  <providers>
    <clear/>
    <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="ApplicationServices"
         enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false"
         maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10"
         applicationName="/" />
  </providers>
</membership>

<profile>
  <providers>
    <clear/>
    <add name="AspNetSqlProfileProvider" type="System.Web.Profile.SqlProfileProvider" connectionStringName="ApplicationServices" applicationName="/" />
  </providers>
</profile>

<roleManager enabled="true" cookieName=".TestROLE" cookieProtection="None" cacheRolesInCookie="true" cookieTimeout="30" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="false" >
  <providers>
    <clear/>
    <add name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="ApplicationServices" applicationName="/" />
    <!--<add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />-->
  </providers>
</roleManager>

Answer 1

Unfortunately this is by design due to changes in the underlying types in .NET 4.5. You can turn off storing of user roles in cookies to prevent this issue (http://msdn.microsoft.com/en-us/library/system.web.security.roles.cacherolesincookie.aspx).

https://connect.microsoft.com/VisualStudio/feedback/details/759157/net-4-5-binaryformatter-serialization-generates-too-long-string

Answer 2

Try adding default provider, so from this:

<roleManager enabled="true" cookieName=".TestROLE" cookieProtection="None" cacheRolesInCookie="true" cookieTimeout="30" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="false" >
  <providers>
    <clear/>
    <add name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="ApplicationServices" applicationName="/" />
    <!--<add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />-->
  </providers>
</roleManager>

to this:

<roleManager defaultProvider="AspNetSqlRoleProvider" enabled="true" cookieName=".TestROLE" cookieProtection="None" cacheRolesInCookie="true" cookieTimeout="30" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="false" >
  <providers>
    <clear/>
    <add name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="ApplicationServices" applicationName="/" />
    <!--<add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />-->
  </providers>
</roleManager>

Answer 3

fyi:

Microsoft has recently published an update which fixes this issue.

See KB 2750147