Are there any security risks when specifing the machine key in the web.config on a web farm?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Are there any security risks when specifing the machine key in the web.config on a web farm?
If someone gets to read the machine key that can be an issue. One clear example is that it is used to check that the viewstate haven’t been tampered with. Anyone who has the key can bypass that.
See http://msdn.microsoft.com/en-us/library/dtkwfdky.aspx#, it explains how to encrypt it.
Oh, and worst the forms authentication uses it – see Uses for MachineKey in ASP.NET
That said, it is an understandable issue when there is a key. If you someone gets it, that is a problem. If you try to protect, well, you need another key (even if that is hidden). Also, someone gets it there in the first place.