Web Farm and <machineKey>

Discussion in 'ASP .Net Security' started by Kevin Burton, Oct 30, 2003.

  1. Kevin Burton

    Kevin Burton Guest

    I have a Web Farm and I understand that in order to keep
    ViewState safe I want to modify the <machineKey>.

    1) The documentation indicates that EnableViewStateMac
    defaults to "false" but I am seeing View State corruption
    messages (as a result of HttpException). Can the View
    State be detected as corrupt without the MAC validation?

    2) I see some examples of some keys that I can use for
    validation and encryption. Is there a utility that I can
    use to generate a key? Yes, I understand that the same key
    has to be on each member of the Web farm. I would just
    like to generate my own key.

    3) Is the default to encrypt and hash or just hash or none?

    Thank you.

    Kevin
     
    Kevin Burton, Oct 30, 2003
    #1
    1. Advertising

  2. Kevin Burton

    Teemu Keiski Guest

    Hi,

    1. Docs are incorrect here. enableViewStateMac="true" is the default.

    2. http://www.eggheadcafe.com/articles/20030514.asp

    3. By default both validationKey and decryptionKey are autogenerated which
    means both techniques are applied as well.

    You could also take a peek at docs about <machineKey> though the article at
    answer 2) covers those also.
    http://msdn.microsoft.com/library/d...n-us/cpgenref/html/gngrfmachinekeysection.asp

    --
    Teemu Keiski
    MCP, Microsoft MVP (ASP.NET), AspInsiders member
    ASP.NET Forum Moderator, AspAlliance Columnist

    "Kevin Burton" <> wrote in message
    news:033901c39f32$08cf2440$...
    > I have a Web Farm and I understand that in order to keep
    > ViewState safe I want to modify the <machineKey>.
    >
    > 1) The documentation indicates that EnableViewStateMac
    > defaults to "false" but I am seeing View State corruption
    > messages (as a result of HttpException). Can the View
    > State be detected as corrupt without the MAC validation?
    >
    > 2) I see some examples of some keys that I can use for
    > validation and encryption. Is there a utility that I can
    > use to generate a key? Yes, I understand that the same key
    > has to be on each member of the Web farm. I would just
    > like to generate my own key.
    >
    > 3) Is the default to encrypt and hash or just hash or none?
    >
    > Thank you.
    >
    > Kevin
    >
    >
     
    Teemu Keiski, Nov 3, 2003
    #2
    1. Advertising

  3. The purpose of the View State MAC feature is to make it impossible for
    clients to send a request containing malicious View State. This feature is
    enabled by default, via the enableViewStateMac="true" flag in your
    machine.config. The simplest way to determine whether the issue you are
    dealing with is related to the MAC is to turn off the feature, by setting
    enableViewStateMac="false". If you no longer get View State errors, then
    the problem is MAC related.

    The viewstate error can be caused due to an underlying exception not being
    handled properly.

    One of the prominent causes of this error in a web farm environment is the
    fact that the validation key is left as AutoGenerate.
    In a Web Farm, each client request can go to a different machine on every
    postback. Because of this, you cannot leave the validationKey set to
    'AutoGenerate' in machine.config. Instead, you must set it to a fixed
    string that is shared among all the machines on the Web Farm.


    The following article tells you how to create the keys.
    313091 HOW TO: Create Keys by Using Visual Basic .NET for Use in Forms
    http://support.microsoft.com/?id=313091

    Hope this helps.
    Imtiaz Hussain.
     
    Imtiaz Hussain, Nov 3, 2003
    #3
  4. Kevin Burton

    Phil Guest

    Phil, Apr 6, 2006
    #4
  5. RE: Web Farm and machineKey

    it is unnecessary to use a 32 bit encryption key with AES - this is not more
    secure than 16 bytes but slower...

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > You can use the generator here
    >
    > http://www.developmentnow.com/articles/machinekey_generator.aspx
    >
    > works for ASP.NET 2.0
    >
    > From
    > http://www.developmentnow.com/g/14_2003_10_0_0_81530/Web-Farm-and-mach
    > ineKey.htm
    >
    > Posted via DevelopmentNow.com Groups
    > http://www.developmentnow.co
     
    Dominick Baier [DevelopMentor], Apr 6, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Zoe Hart
    Replies:
    2
    Views:
    649
    Zoe Hart
    Mar 5, 2004
  2. TK

    machineKey values: how?

    TK, Apr 16, 2004, in forum: ASP .Net
    Replies:
    3
    Views:
    933
    Jim Cheshire [MSFT]
    Apr 19, 2004
  3. =?Utf-8?B?U1RlY2g=?=

    MachineKey

    =?Utf-8?B?U1RlY2g=?=, Oct 6, 2004, in forum: ASP .Net
    Replies:
    4
    Views:
    688
    Steven Cheng[MSFT]
    Oct 27, 2004
  4. Ron

    Odd MachineKey Error?

    Ron, Oct 13, 2004, in forum: ASP .Net
    Replies:
    8
    Views:
    2,269
    claudineduplessis
    Nov 15, 2006
  5. Mark Olbert
    Replies:
    1
    Views:
    474
    Luke Zhang [MSFT]
    Jan 25, 2006
Loading...

Share This Page