We have a cookie management library that writes a cookie containing some sensitive information, encrypted with Rijndael. The cookie encrypts and decrypts fine in unit tests (using Moq), works fine for MVC web application开发者_JS百科s, but when called from an ASP.net 2.0 website, the cookie cannot be decrypted. "Padding is invalid and cannot be removed."
We are sure that the cookie value is valid because we tested it 10,000 times with random data in a unit test. There is something about what ASP.NET 2.0 does when it reads and writes the cookie that causes trouble.
There has to be a gotcha. Any suggestions?
Hex-encode the data before storing it in the cookie, since hex characters are valid for cookie values. (Base64 isn't safe as-is, but you could replace the +=/ characters with _-., for example.) Also note that cookies have a maximum length, though I forget what this limit is offhand.
If you're trying to serialize a large value, consider storing it in Session, so the user doesn't have access to it at all. The downside to this is that this uses memory on the server, and if you have a web farm you'd have to keep these in sync across machines.
精彩评论