问题
I generate a forms auth ticket with some user data, encrypt and send it to my client all using the standard .net Api. Everything works except for one small problem. If i replace the 0 in the auth ticket with an alphabet between G and Z (caps), it still works - it decrypts fine and i get all my userdata and everything from the auth ticket. This is not supposed to happen right? Even a small change in the auth ticket should make the decryption not work right? Any other change would ensure that the ticket doesn't decrypt and will throw exception.
回答1:
I guess the ticket is serialized as hex characters, if it reads a char that represents a valid hex char (0 - 9, A - F) it converts accordingly and add it to the decryption stream, if it finds anything else it converts to 0.
I'm not claiming that this now it actually works...
来源:https://stackoverflow.com/questions/8635965/asp-net-forms-authentication-ticket-tampered-but-still-works