Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Web Farm and <machineKey>

Reply
Thread Tools

Web Farm and <machineKey>

 
 
Kevin Burton
Guest
Posts: n/a
 
      10-30-2003
I have a Web Farm and I understand that in order to keep
ViewState safe I want to modify the <machineKey>.

1) The documentation indicates that EnableViewStateMac
defaults to "false" but I am seeing View State corruption
messages (as a result of HttpException). Can the View
State be detected as corrupt without the MAC validation?

2) I see some examples of some keys that I can use for
validation and encryption. Is there a utility that I can
use to generate a key? Yes, I understand that the same key
has to be on each member of the Web farm. I would just
like to generate my own key.

3) Is the default to encrypt and hash or just hash or none?

Thank you.

Kevin
http://www.velocityreviews.com/forums/(E-Mail Removed)

 
Reply With Quote
 
 
 
 
Teemu Keiski
Guest
Posts: n/a
 
      11-03-2003
Hi,

1. Docs are incorrect here. enableViewStateMac="true" is the default.

2. http://www.eggheadcafe.com/articles/20030514.asp

3. By default both validationKey and decryptionKey are autogenerated which
means both techniques are applied as well.

You could also take a peek at docs about <machineKey> though the article at
answer 2) covers those also.
http://msdn.microsoft.com/library/de...keysection.asp

--
Teemu Keiski
MCP, Microsoft MVP (ASP.NET), AspInsiders member
ASP.NET Forum Moderator, AspAlliance Columnist

"Kevin Burton" <(E-Mail Removed)> wrote in message
news:033901c39f32$08cf2440$(E-Mail Removed)...
> I have a Web Farm and I understand that in order to keep
> ViewState safe I want to modify the <machineKey>.
>
> 1) The documentation indicates that EnableViewStateMac
> defaults to "false" but I am seeing View State corruption
> messages (as a result of HttpException). Can the View
> State be detected as corrupt without the MAC validation?
>
> 2) I see some examples of some keys that I can use for
> validation and encryption. Is there a utility that I can
> use to generate a key? Yes, I understand that the same key
> has to be on each member of the Web farm. I would just
> like to generate my own key.
>
> 3) Is the default to encrypt and hash or just hash or none?
>
> Thank you.
>
> Kevin
> (E-Mail Removed)
>



 
Reply With Quote
 
 
 
 
Imtiaz Hussain
Guest
Posts: n/a
 
      11-03-2003
The purpose of the View State MAC feature is to make it impossible for
clients to send a request containing malicious View State. This feature is
enabled by default, via the enableViewStateMac="true" flag in your
machine.config. The simplest way to determine whether the issue you are
dealing with is related to the MAC is to turn off the feature, by setting
enableViewStateMac="false". If you no longer get View State errors, then
the problem is MAC related.

The viewstate error can be caused due to an underlying exception not being
handled properly.

One of the prominent causes of this error in a web farm environment is the
fact that the validation key is left as AutoGenerate.
In a Web Farm, each client request can go to a different machine on every
postback. Because of this, you cannot leave the validationKey set to
'AutoGenerate' in machine.config. Instead, you must set it to a fixed
string that is shared among all the machines on the Web Farm.


The following article tells you how to create the keys.
313091 HOW TO: Create Keys by Using Visual Basic .NET for Use in Forms
http://support.microsoft.com/?id=313091

Hope this helps.
Imtiaz Hussain.

 
Reply With Quote
 
Phil
Guest
Posts: n/a
 
      04-06-2006
You can use the generator here

http://www.developmentnow.com/articl...generator.aspx

works for ASP.NET 2.

From http://www.developmentnow.com/g/14_2...-machineKey.ht

Posted via DevelopmentNow.com Group
http://www.developmentnow.com
 
Reply With Quote
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      04-06-2006
it is unnecessary to use a 32 bit encryption key with AES - this is not more
secure than 16 bytes but slower...

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> You can use the generator here
>
> http://www.developmentnow.com/articl...generator.aspx
>
> works for ASP.NET 2.0
>
> From
> http://www.developmentnow.com/g/14_2...-Farm-and-mach
> ineKey.htm
>
> Posted via DevelopmentNow.com Groups
> http://www.developmentnow.co



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
What is the difference between web farm and web gardens? Bhuwan Bhaskar ASP .Net 2 10-24-2007 08:27 AM
Web Service on a web farm phillip ASP .Net Web Services 1 05-18-2007 08:48 AM
Redirecting a web page in a web farm environment robin9876@hotmail.com ASP .Net 0 03-10-2006 03:51 PM
Session TimeOut and Web Farm =?Utf-8?B?TGVhcm5pbkd1cnU=?= ASP .Net 0 06-28-2004 10:06 AM
Web Farm/Web Garden Steve ASP .Net 3 01-21-2004 01:53 PM



Advertisments