The <machineKey> attribute is used in web.config settings when encrypting and decrypting the data for the webapplication in ASP.NET. It is used to set Encryption algorithm for validation in general. Machine Key attribute can be used to set
1. Encryption of View State
2. Encryption for Forms authentication cookie data
In order to make view state tamper proof we use EnableViewStateMac = true . This can be applied at page level too. MAC stands for Message Authentication Code. By setting this property to true Viewstate is encrypted in a cipher format .
If we encrypt Viewstate we must speicify validation and encryption method in machine key attribute of the web.config as below.
<pages buffer ="true" enableViewStateMac ="true" />
<machineKey validationKey="autogenerate | value" decryptionKey="autogenerate | value"
validation ="SHA1 | MD5 | 3DES" />
<httpRuntime maxRequestLength ="2048" />
So the application takes encryption validation method that is specified and validation key settings for the decryption.
For forms authentication ticket encryption, the <machineKey> can be set as shown below.
Why do we need to encrypt and decrypt the viewstate?
View State is not secured. It is good design practice to encrypt the View State and store due to security reasons. By default ASP.NET uses SHA1 algorithm to encrypt View State.When working with sensitive data, it is best practice to utilize encryption.
How to do it at Page Level or control Level?
ViewStateEncryptionMode is the attribute that is used for encrypting viewstate. It can be applied at page level or web.config level for the application. Below is the code how we use viewstateencryption mode attribute
<pages ViewStateEncryptionMode="Always" />
ViewStateEncryptionMode attribute has 3 properties as
- Auto (deafult),
- None( No Encryption for the control’s View State)
If the mode is “Always” ASP.NET does not wait for a control in the page to request encryption. View State is always encrypted.
If the mode is “Auto” ASP.NET will encrypt the View State for a page if any control on the page requests it only. This is the default value.
If the mode is “None”, encryption is never done for View State even though it is applied and controls on the page requested it.