File Path for PersistKeysToFileSystem on shared server

About

Asked 23/3, 2019 at 14:40 Answered 23/3, 2019 at 14:49

Solved c#asp.net-mvc asp.net-core-mvc asp.net-core-identity asp.net-core-mvc-2.0

I'm trying to make my keys persist for users that log in. As I'm currently using shared hosting for the website, I've decided to use the file system to store the keyring. So the code looks like this:

services.AddDataProtection()
.PersistKeysToFileSystem(new DirectoryInfo(""))
.SetApplicationName("MyWebsite")
.SetDefaultKeyLifetime(TimeSpan.FromDays(90))
.ProtectKeysWithCertificate(cert);

However, what I'm not really understanding is where I should hold these keys, and what would be the path I pass in in order for them to be there. Since this is an MVC Core Application I am a little confused, in an MVC 5 I would put it in App_Data folder, but here there is no App_Data folder and I want to make sure it stays secure and cannot be accessed via the browser.

The other thing is do I pass it a relative path or a direct path? If it is relative, where is my starting point? Is it bin, root directory or something else?

Candiecandied answered 23/3, 2019 at 14:40 Comment(0)

The simplest way is probably to create a folder inside the app folder. For example, create a folder called Keys, and use the IHostingEnvironment object to get the app folder. Something like this:

public class Startup
{
    private readonly IHostingEnvironment _environment;

    public Startup(IHostingEnvironment environment)
    {
        _environment = environment;
    }

    public void ConfigureServices(IServiceCollection services)
    {
        var keysFolder = Path.Combine(_environment.ContentRootPath, "Keys");

        services.AddDataProtection()
            .PersistKeysToFileSystem(new DirectoryInfo(keysFolder))
            .SetApplicationName("MyWebsite")
            .SetDefaultKeyLifetime(TimeSpan.FromDays(90))
            .ProtectKeysWithCertificate(cert);
    }

    // snip
}

Diamagnetic answered 23/3, 2019 at 14:49 Comment(9)

When you say app folder, you mean root directory of the website? – Candiecandied 23/3, 2019 at 15:1

Yes exactly, alongside the wwwroot folder (but not inside that or the files may get served to the browser) – Diamagnetic 23/3, 2019 at 15:2

As for IHostingEnvironment, do I inject that with IServiceCollection then? – Candiecandied 23/3, 2019 at 15:4

This is one of the worst approaches in history because in a secure Web App environment you have no write access to the app folder - and: on next deployment the stuff is deleted: forever. – Breechloader 22/10, 2020 at 13:26

@BenjaminAbt "worst approaches in history", hyperbole much? Of course, every situation is different and this will work for some but not others. And most deployment methods wouldn't delete those files. – Diamagnetic 22/10, 2020 at 13:37

@Diamagnetic I have written this with this clarity in mind: 1) One of the absolute security basics of a web application is that the directory is(!) read-only 2) it is absolutely absurd to put the keys into the application directory => and make it accessible from outside. – Breechloader 22/10, 2020 at 19:36

@BenjaminAbt I'm just saying that t's far from being as bad as you claim. For a start, .NET Core keeps app code completely distinct from assets that are served. So yes, it is a safe place to put those files. It is not absurd to store secure data there. – Diamagnetic 22/10, 2020 at 21:58

@Benjamin Abt - so tells us where to store them? ANY file system location is THE SAME as app folder. So app folder is bet place because it belongs to app so no point to put session keys to some strange place. Also nobody forbids to still have app folder read only just make keys folder writable that's it. – Sattler 14/3, 2021 at 20:16

@Sattler yes, that would be the way how to dev web apps in 1998, but not in 2021. – Breechloader 15/3, 2021 at 21:42

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags