February 27, 2011

What is Machine Key in Web.Config

The <machineKey> attribute is used in web.config settings when encrypting and decrypting the data for the webapplication in ASP.NET. It is used to set Encryption algorithm for validation in general. Machine Key attribute can be used to set

1. Encryption of View State

2. Encryption for Forms authentication cookie data

In order to make view state tamper proof we use EnableViewStateMac = true .  This can be applied at page level too. MAC stands for Message Authentication Code. By setting this property to true Viewstate is encrypted in a cipher format .

If we encrypt Viewstate we must speicify validation and encryption method in machine key attribute of the web.config  as below.


<pages buffer ="true" enableViewStateMac ="true" />
<machineKey validationKey="autogenerate | value" decryptionKey="autogenerate | value"
validation ="SHA1 | MD5 | 3DES" />
<httpRuntime maxRequestLength ="2048" />

So the application takes encryption validation method that is specified and validation key settings for the decryption.

For forms authentication ticket encryption, the <machineKey>  can be set as shown below.

  decryption="Auto" />

Why do we need to encrypt and decrypt the viewstate?

View State is not secured. It is good design practice to encrypt the View State and store due to security reasons. By default ASP.NET uses SHA1 algorithm to encrypt View State.When working with sensitive data, it is best practice to utilize encryption.

How to do it at Page Level or control Level?

ViewStateEncryptionMode is the attribute that is used for encrypting viewstate. It can be applied at page level or web.config level for the application. Below is the code how we use viewstateencryption mode attribute



<pages  ViewStateEncryptionMode="Always" />

</system.web> </configuration>

ViewStateEncryptionMode attribute has 3 properties as

  • Auto (deafult),
  • None( No Encryption for the control’s View State)
  • Always

If the mode is “Always” ASP.NET does not wait for a control in the page to request encryption. View State is always encrypted.

If the mode is “Auto” ASP.NET will encrypt the View State for a page if any control on the page requests it only. This is the default value.

If the mode is “None”, encryption is never done for View State  even though it is applied and controls on the page requested it.

No comments: