machinekey

When a user logs in based on default Forms Authentication method, the server creates a cookie containing encrypted data (using Machine Key as key for encryption). It means that if someone find/guess/access Machine Key for the server, he will be logged in to the web application. I've developed some applications which are on 4 servers. So, I hard-coded the same Machine Key for all the servers in machine.config and I can't use Auto Generate mode. Is it possible to brute force the Machine Key? Is there any other methods? (I don't want to use Windows and Passport) And is Forms Authentication Ticket

I am using HMACSHA256 for message authentication in a web-farm environment. Within the web-farm each machine has the same machine key, so the ViewState will work across machines, however, I need to do HMAC message authentication which will work across machines, so I figured that since all machines use the same machine key, there should be a way to derive a key from that to use as the HMAC key. I notice that as of .NET 4.0 there is the MachineKey class, however, I am stuck with using .NET 3.5 , and this is unavailable to me. Is there a way to get some sort key that is the same on all machines

I am using MachineKey API to encrypt/decrypt a piece of information in an ASP.NET application. I am using MachineKey.Encode(data, MachineKeyProtection.All) and MachineKey.Decode(data, MachineKeyProtection.All) methods of API. Everything works great on Windows 8 and Windows Server 2012 when Load User Profile is enabled. The problem is for some reason it doesn't survive app pool restart on Windows Server 2008 R2 with IIS 7.5 . Initially I had impression that I will need to enable Load User Profile setting on Application Pool but that doesn't make any difference. Any idea what I could be missing

Where do I find the machineKey config section for ASP.NET? I don't have one in my application Web.config , there isn't one in the root Web.config and there isn't one in my machine.config . Does this mean there is some other default hardcoded into ASP.NET? If so, what are the defaults? (For .NET 2 and 4) Having read this: http://msdn.microsoft.com/en-us/library/w8h3skw9.aspx i was expecting to find something like this, somewhere: <machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" /> Edit: the 1.1 docs seem fairly clear wrt default values: http://msdn

I am trying to make run this function hex2a(hex) { var str = ''; for (var i = 0; i < hex.length; i += 2) str += String.fromCharCode(parseInt(hex.substr(i, 2), 16)); return str; } //Raw cookie var cookie = "B417B464CA63FE780584563D2DA4709B03F6195189044C26A29770F3203881DD90B1428139088D945CF6807CA408F201DABBADD59CE1D740F853A894692273F1CA83EC3F26493744E3D25D720374E03393F71E21BE2D96B6110CB7AC12E44447FFBD810D3D57FBACA8DF5249EB503C3DFD255692409F084650EFED205388DD8C08BF7B941E1AC1B3B70B9A8E09118D756BEAFF25834E72357FD40E80E76458091224FAE8"; //decryptionKey from issuers <machineKey> var deckey =

I working on a MVC 4 site which has uses Authentication. The site requires that I specify the Machine Key values. I did this via the IIS interface having deselected the "automatically generate at runtime", generated the key values and having selected "generate a unique key for each application" The web.config entry looks something like this: <machineKey decryption="DES" decryptionKey="{hex-key value},IsolateApps" validationKey="{hex-key value},IsolateApps" />; While this seems to work fine on another web project it causes the "Decryption key specified has invalid hex characters" error on the