Istead of using FormsAuthentication.Encrypt / FormsAuthentication.Decrypt, is it possible to use an existing RSA container in the machine key store to do the encryption/decryption of the ticket.
The reason is that the ASP.Net application I’m developing is meant to be used in multiple load balanced servers. Hence I need to copy the machine key onto all web.config files in all the machines. Since we are already using Asymmetric Encryption (RSA) for another purpose, we have automated installing a common RSA key container in all the servers via a bat file and key container xml. Since this mechanism is in place I want to use the same RSA key container to encrypt/decrypt the forms auth ticket too.
- Is this possible? If so how do I override the existing behaviour to achieve this.
- If its possible then do you see any disadvantages of using RSA instead of the standard encryption?
Yes, but it would require some work.
You will need to override/replace the standard authentication module that ships with .NET and replicate all the existing functionality with the exception of calls to the RSA Encrypt/Decrypt methods you want to use instead.
See http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.encrypt.aspx
You will also need to edit all the standard builtin login pages if you are using those.
As a template, inspect the source for the FormsAuthenticationTicket and you will see how the string is constructed that contains parameters such as UserID, Expiry Date etc, and then pass that string into the Encrypt method, which in turn is then used as the cookie value.
Your new auth module will then have to reverse that encryption and validate the user as before.
It’s a fair amount of work for relatively little gain, depends on how badly you want to use RSA over the standard encryption methods used (they already offer some powerful encruyption methods right out the box see http://www.sourcetree.net/sourcetree/Development/Aspnet%20Examples/GenerateMachineKeyForWebConfig.aspx)