"Padding is Invalid and cannot be removed" exception on WebResource.axd

The error is because your appdomain was recycled/restarted. When that happens the application and the machine key is set to auto, it changes. That affects the decryption of the info in the url of the resources urls (.axd). Setting up a fixed machine key will prevent it from ever happening again.

Please check this for more info on a similar case (the explanation is with an issue with viewstate validation, but the cause is the same one): http://www.developmentnow.com/blog/InvalidViewstate+Or+Unable+To+Validate+Data+Error.aspx

I also had been wondering about it for quite a while. After I saw this question it got me on it again: Is this an attempt to break my ASP.Net site's security? ... which I just answered with very much the same. I had the feeling it was around some restart of something, because when we published something that recycled the application the error showed in the log, but I didn't have any other source stating its relation (today I found that case on invalidviewstate because of the machinekey change :))

Ps. above finally explains it on single server :)

This problem appears when a post is generated before the page is fully loaded in the browser. Have a look at this question.

Ben,

For your first problem, I found this that seems to be a bit more to the point of what you are seeing in that the problem is sporadically occurring. You should be able to find a full explanation of this at http://www.codeproject.com/KB/security/Cryptor.aspx#aes.

What you really need to do is set RijndaelAlg.Padding to PaddingMode.ISO10126, PaddingMode.PKCS7, or PaddingMode.ANSIX923. Any one of these 3 values should work, provided that you use the same value when encrypting and decrypting. Other values will work with some data, but not with all data. The above URL explains why.

What I don't understand is the reason Microsoft provides options that sometimes don't work, or at least why they don't default to a reliable option.