MVC AntiForgeryToken machinekey for encryption - McMap

About

MVC AntiForgeryToken machinekey for encryption

Asked 12/8, 2014 at 9:13 Answered 12/8, 2014 at 9:28

Solved asp.net-mvc antiforgerytoken

B

1

4

i came to know : Under the covers, the MVC AntiForgeryToken attribute uses the machinekey for encryption. If you don't specify a machinekey in the web.config , one is automatically generated for you by ASP.NET.

If the ASP.NET application is restarted (e.g. do an iisreset), the AntiForgeryToken within the browser cookie will still be encrypted with an old machine key, hence why it crashes with the above error.

My concern is

before write the machine key in web.config i like to know where i should look for the machine key to copy & paste in web.config. when we are testing in local pc then we can copy & paste the machine key in web.config but when we will host our site in godady or ORCSWEB in shared environment then those company may not give machine key of the pc where our site will be hosted. so i need to know how to handle this situation. thanks

EDIT

<configuration>
    <system.web>
        <machineKey  
            validationKey="21F090935F6E49C2C797F69BBAAD8402ABD2EE0B667A8B44EA7DD4374267A75D7AD972A119482D15A4127461DB1DC347C1A63AE5F1CCFAACFF1B72A7F0A281B"           
            decryptionKey="ABAA84D7EC4BB56D75D217CECFFB9628809BDB8BF91CFCD64568A145BE59719F"
            validation="SHA1"
            decryption="AES"
        />

how to get or generate validationKey & decryptionKey separately ? any idea?

Bumbling answered 12/8, 2014 at 9:13 Comment(0)

F

8

If the ASP.NET application is restarted (e.g. do an iisreset), the AntiForgeryToken within the browser cookie will still be encrypted with an old machine key???

I don't think machine key changes with iisreset.

You can generate machine key (validation and decryption key) yourself and specify it in web.config. The same key will be used in all cases where encryption is performed e.g. Auth tickets, AF Token.

A good introduction link.

UPDATE:

How to generate machine key?

There are various way, this msdn blog suggest using IIS which looks more secure to me as Microsoft tool being used. However, it seems this feature is only supported until IIS 7. I don't find it on my box IIS 8.5. I checked on IIS 7.5 and its not present there either. However, I found it in IIS 6.1 on a coworker box.

Second option is to use custom key generators

a. Machine Key Generator (online)

b. ASP.NET machineKey Generator (tool you can modify)

Fagan answered 12/8, 2014 at 9:28 Comment(6)

i update my question about validationKey & decryptionKey. please see and guide plzz. – Bumbling 12/8, 2014 at 10:55

Did you check the link i provided in my answer? – Fagan 12/8, 2014 at 12:13

i check the link but do not find how to generate keys for validationKey & decryptionKey. please provide any such link which guide me to generate keys for validationKey & decryptionKey. thanks – Bumbling 12/8, 2014 at 14:20

Please see my updated answer, hope that will help you to achieve your goal. :) – Fagan 13/8, 2014 at 5:0

It is not advised to use any online machine key generation tool. – Cameroun 9/7, 2015 at 13:50

Your other question about generating keys is useful to link to: #25278968 – Cameroun 9/7, 2015 at 13:56

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.