Reputation: 5532
Specifing machine key in the web.config
Are there any security risks when specifing the machine key in the web.config on a web farm?
Upvotes: 0
Views: 1058
Answers (1)
Reputation: 36027
If someone gets to read the machine key that can be an issue. One clear example is that it is used to check that the viewstate haven't been tampered with. Anyone who has the key can bypass that.
See http://msdn.microsoft.com/en-us/library/dtkwfdky.aspx#, it explains how to encrypt it.
Oh, and worst the forms authentication uses it - see Uses for MachineKey in ASP.NET
That said, it is an understandable issue when there is a key. If you someone gets it, that is a problem. If you try to protect, well, you need another key (even if that is hidden). Also, someone gets it there in the first place.
Upvotes: 3
Related Questions
- Adding machineKey to machine.config
- How To Config MachineKey In Asp.Net Core In IIS Level
- Can you set the MachineKey programmatically?
- How do I generate IIS machineKey from inside code?
- When is it necessary or beneficial to specify a custom Machine Key in web.config? (ASP.NET)
- Different machine keys for different web applications
- Machine Key in web.config of mvc3 application
- ASP.NET machineKey config section default location
- How do I know if the machineKey section from my machine.config is being used?
- How to find a server's machinekey if it wasn't set