Reputation: 23393
Cryptography.ProtectedData CurrentUser with ASP.NET and Forms Authentication
If encryption is used via ProtectedData CurrentUser and I have a site using Forms auth (with a custom membership module, don't think that will make a difference), will it work across several different web servers?
My guess would be that it would if the current user that is used is the User.Identity, 'cause that will be the logged in user, and will be the same on any web server.
The docs didn't seem to say anything about it working with ASP.NET.
Upvotes: 1
Views: 617
Answers (1)
Reputation: 4549
The "current user" will be the user the asp.net application is running as (not the user accessing the site). Typically this is /ASPNET user account however it can be changed. You can verify this with the WindowsIdentity.GetCurrent() function.
Your other option is to use DataProtectionScope.LocalMachine to store it in the machine store instead (acceisslble from any account on the machine). While this may seem less secure member if you are using an unprivileged account (like ASPNET user) than anyone could write an app to run as that user and gain access to that user store.
Upvotes: 0
Related Questions
- FormsAuthentication Decrypt In Asp.Net Core
- System.Web.Security.FormsAuthentication.Encrypt returns null
- FormsAuthenticationTicket Userdata still readable after encryption (asp.net MVC3 with forms Auth.)
- encrypting username in asp.net mvc5 login
- Encrypting form data in MVC C#
- Encryption in asp.net
- ASPX C# Code Security
- Handling User Authentication in .NET?
- FormsAuthentication with custom encryption key
- Authentication ticket ( Forms authentication )