How to set machineKey on Azure Website

Asked 12/4, 2015 at 21:49 Answered 11/7, 2015 at 18:1

I'm running an Azure Website. Whenever I deploy, everyone gets logged out because the machineKey changes.

I specified the machineKey in the web.config but this didn't solve the issue. I believe this is because Azure automatically overwrites the machineKey [1].

I've found a couple of similar questions here but the answers link to dead links.

So, what's the solution? Surely there's a way to keep users logged in regardless of deployments on Azure.

Leekgreen answered 12/4, 2015 at 21:49 Comment(6)

A website hosted as a WebRole or via Azure Websites? – Sphenic 12/4, 2015 at 22:20

Are you sure its not usage of InProc session that gets your users logged out? We are using machineKey specified in web.config for cookie encryption on an Azure Website using autoscaling and we have no problems with changing machinekeys on either scaling up or on new deployments. – Sonneteer 13/4, 2015 at 17:12

@miracledev I'm pretty sure InProc session isn't relevant here. Session state and authentication are handled differently. The user's encrypted session cookie contains everything needed to treat the user as logged in. No state is stored on the server. – Leekgreen 13/4, 2015 at 21:10

@Mr.Flibble okay just checking the obvious, but as i said we use machineKey for encryption and we have no problems reading our encrypted data across deploys :) – Sonneteer 13/4, 2015 at 21:19

is it under shared website? – Meatman 21/4, 2015 at 3:52

@AkashKava No - it's not a shared Website – Leekgreen 22/4, 2015 at 8:20

Try to reset the machine-key configuration section upon Application_Start:

protected void Application_Start()
{
    // ...

    var mksType = typeof(MachineKeySection);
    var mksSection = ConfigurationManager.GetSection("system.web/machineKey") as MachineKeySection;
    var resetMethod = mksType.GetMethod("Reset", BindingFlags.NonPublic | BindingFlags.Instance);

    var newConfig = new MachineKeySection();
    newConfig.ApplicationName = mksSection.ApplicationName;
    newConfig.CompatibilityMode = mksSection.CompatibilityMode;
    newConfig.DataProtectorType = mksSection.DataProtectorType;
    newConfig.Validation = mksSection.Validation;

    newConfig.ValidationKey = ConfigurationManager.AppSettings["MK_ValidationKey"];
    newConfig.DecryptionKey = ConfigurationManager.AppSettings["MK_DecryptionKey"];
    newConfig.Decryption = ConfigurationManager.AppSettings["MK_Decryption"]; // default: AES
    newConfig.ValidationAlgorithm = ConfigurationManager.AppSettings["MK_ValidationAlgorithm"]; // default: SHA1

    resetMethod.Invoke(mksSection, new object[] { newConfig });
}

The above assumes you set the appropriate values in the <appSettings> section:

<appSettings>
  <add key="MK_ValidationKey" value="...08EB13BEC0E42B3F0F06B2C319B..." />
  <add key="MK_DecryptionKey" value="...BB72FCE34A7B913DFC414E86BB5..." />
  <add key="MK_Decryption" value="AES" />
  <add key="MK_ValidationAlgorithm" value="SHA1" />
</appSettings>

But you can load your actual values from any configuration source you like.

Rosy answered 21/4, 2015 at 7:14 Comment(3)

Thank you very much @haim770. I'm testing this now and it appears to be working. – Leekgreen 24/4, 2015 at 8:59

@Mr.Flibble, I did test it on a free Azure Website as well. However, since the Azure Websites team are constantly unlocking more and more sections of the Web.Config, I believe they'll eventually let you set the MachineKey normally in the configuration. – Rosy 24/4, 2015 at 9:41

Awesome implementation @haim770. Seems this isnt working for us. We are using .NET 4.6.1 and using OWIN startup with app.UseCookieAuthentication() and using a Redis cache session provider. I implemented the above, but the user keeps getting logged out after a slot swap. Any ideas? – Hegarty 29/9, 2016 at 8:51

If Azure is rewriting your machineKey, you can't do much about it, as it is part of their infrastructure. However, there are other methods.

Override FormsAuthentication

This should not be difficult as you can easily look up for source code of FormsAuthentication and create your own logic and replace MachineKey with your own key stored in web.config or in your database.

Custom Authentication Filter

The simplest way would be to create a filter and check, verify, encrypt decrypt cookies in your filter. You need to do this on OnAuthorization method and create new instance of IPrincipal and set IsAuthenticated to true if descryption was successful.

OAuth

Enable OAuth and create OAuthProvider. However you will need to host OAuthProvider on server that is in your control as that will need machineKey working.
Enable Third Party OAuth, if you enable OAuth with Google, Facebook etc, it will be easy as user will be redirected to OAuth provider and they will continue to login automatically and a new session will be established.

Meatman answered 21/4, 2015 at 5:34 Comment(0)

I had the same issue and in my case I was using the webdeploy to Azure wizard in VS13. I thought I was going crazy as I would set the machinekey in the web.config and then it would be changed on the deployed web.config to autogenerate. It is something in the webdeploy script/settings. My solution was to open the live azure site from within VS13 using the Server Explorer and then editing the web.config and saving changes. This preserved my settings with my supplied keys and all works fine.

Roana answered 11/7, 2015 at 18:1 Comment(0)

Recommended topics

Hot tags