When a cookie is empty and corrupt, users may run into intermittent access issues to your website. IIS may record CryptographicException (The data is invalid) error to Event Viewer for this issue. Since the issue is intermittent, there may not be a need for immediate solution. However, a root cause analysis can provide valuable information and clues to prevent future occurrences.
Here is the key part of the error message from the Application container in Event Viewer:
Event code: 3005
Event message: An unhandled exception has occurred.
Trust level: Full
Process name: w3wp.exe
Exception type: CryptographicException
Exception message: The data is invalid.
at System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope)
at System.IdentityModel.ProtectedDataCookieTransform.Decode(Byte[] encoded)
I recommend checking application specific logs as well. In my case, the application logged the error message below at the time of the issue:
2019-01-26 08:56:28 AM ERROR: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false.
The Event Viewer log shows the process name as “w3wp.exe” which is the worker process of IIS. If you observe crashes of this process, check this post out for the solution: w3wp.exe crashes every 5 minutes with error code 0xc0000374
Root Cause Analysis for
CryptographicException (The data is invalid) error
My conclusion is that the issue happened because of an empty or corrupt cookie. As IIS didn’t log the cookie information at the time the issue occurred, It is not possible to tell which cookie it was or how the integrity of the cookie was at that time. Some reasons why a cookie is empty or corrupt are:
- Network issues
- Closing the browser while the request is being prepared
- Browser crash
Since this issue hasn’t happened again, It must have been an intermittent issue occurred on the network or client side.
Possible Solutions
If your application pool is not set to load user profile, this may cause CryptographicException (The data is invalid) error.
If you are using WIF (Windows Identity Foundation) and receiving “Key not valid for use in specified state” error, check this post out for solution.
Additionally, check Unprotect function or any methods that call this function in your source code. As per the stack trace, this is the function that throws the exception. This function takes 3 parameters. One of them is complaining about the input. The parameter that is complaining is most likely the first one (encryptedData
). Somehow, on the day/time the issue occurred, the value that was provided to this function was not in the right format. You can debug your source code to find out possible causes.
System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope)
Future occurences
In order to have more logs for better troubleshooting, you may want to enable extra loggings:
- Failed Request Tracing for 302 errors (IIS logs show 302 for the request that caused the issue)
- Enable logging cookies (IIS > Website > Logging > Select Fields > Cookie (cs(Cookie))
Please note that both of these extra loggings will increase log folder sizes significantly and they may cause high CPU load as well.
You may also want to record the actual client IP address if there is a load balancer in front of your web server. Check this post out for step-by-step instructions: How to log actual client IP address in IIS?