1. 技术文章
  2. MVC AntiForgeryToken machinekey for encryption

MVC AntiForgeryToken machinekey for encryption

て烟熏妆下的殇ゞ 提交于 2019-12-20 01:09:39

问题


i came to know : Under the covers, the MVC AntiForgeryToken attribute uses the machinekey for encryption. If you don't specify a machinekey in the web.config , one is automatically generated for you by ASP.NET.

If the ASP.NET application is restarted (e.g. do an iisreset), the AntiForgeryToken within the browser cookie will still be encrypted with an old machine key, hence why it crashes with the above error.

My concern is

before write the machine key in web.config i like to know where i should look for the machine key to copy & paste in web.config. when we are testing in local pc then we can copy & paste the machine key in web.config but when we will host our site in godady or ORCSWEB in shared environment then those company may not give machine key of the pc where our site will be hosted. so i need to know how to handle this situation. thanks

EDIT

<configuration>
    <system.web>
        <machineKey  
            validationKey="21F090935F6E49C2C797F69BBAAD8402ABD2EE0B667A8B44EA7DD4374267A75D7AD972A119482D15A4127461DB1DC347C1A63AE5F1CCFAACFF1B72A7F0A281B"           
            decryptionKey="ABAA84D7EC4BB56D75D217CECFFB9628809BDB8BF91CFCD64568A145BE59719F"
            validation="SHA1"
            decryption="AES"
        />

how to get or generate validationKey & decryptionKey separately ? any idea?


回答1:


If the ASP.NET application is restarted (e.g. do an iisreset), the AntiForgeryToken within the browser cookie will still be encrypted with an old machine key???

I don't think machine key changes with iisreset.

You can generate machine key (validation and decryption key) yourself and specify it in web.config. The same key will be used in all cases where encryption is performed e.g. Auth tickets, AF Token.

A good introduction link.

UPDATE:

How to generate machine key?

There are various way, this msdn blog suggest using IIS which looks more secure to me as Microsoft tool being used. However, it seems this feature is only supported until IIS 7. I don't find it on my box IIS 8.5. I checked on IIS 7.5 and its not present there either. However, I found it in IIS 6.1 on a coworker box.

Second option is to use custom key generators

a. Machine Key Generator (online)

b. ASP.NET machineKey Generator (tool you can modify)



来源:https://stackoverflow.com/questions/25260435/mvc-antiforgerytoken-machinekey-for-encryption

标签
asp.net-mvc
antiforgerytoken
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!