4

MSDN : machineKey

Configures algorithms and keys to use for encryption, decryption, and validation of forms-authentication data and view-state data, and for out-of-process session state identification

Specifically which methods in FormsAuthentication make use of validationKey and encryptionKey values?

Tom Hofman
  • 518
  • 5
  • 19
kenwarner
  • 28,650
  • 28
  • 130
  • 173

1 Answers1

4

The methods in FormsAuthentication that use validationKey and encryptionKey are the FormsAuthentication.Encrypt and FormsAuthentication.Decrypt methods.

Community
  • 1
  • 1
Icarus
  • 63,293
  • 14
  • 100
  • 115
  • thanks. are those the only methods that make direct use of those two configuration settings? – kenwarner Dec 07 '11 at 15:41
  • @qntmred: I call `Encrypt` directly before setting the cookie which I guess I do it because `SetCookie` does not encrypt automatically. But perhaps I am doing it unnecessarily if `SetCookie` already does it behind the scenes. I suggest you try calling `SetCookie` without calling `Encrypt` explicitly and check whether the cookie created is encrypted or not. That's an easy enough test. – Icarus Dec 07 '11 at 15:53
  • @qntmred: I just checked the implementation of `FormsAuthentication` class using ILSpy and `SetCookie` does not `Encrypt` automatically; however, `GetAuthCookie` does call `Encrypt`. You should download ILSpy and do the same I did. It will clarify all your doubts. http://wiki.sharpdevelop.net/ILSpy.ashx – Icarus Dec 07 '11 at 16:15
  • i had used JustDecompile to look around System.Web.dll, but unless I missed it, there's no feature to find ALL references to `MachineKey.ValidationKey` and you have to find them manually, which means it's likely I missed somewhere it would be used – kenwarner Dec 07 '11 at 16:31