Get Help:Ask a Question in our Forums|Report a Bug|More Help Resources
Last post Nov 21, 2012 10:39 AM by RameshRajendran
Nov 20, 2012 04:55 AM|LINK
I am storing user's emailid which works like primary key in Cookie. But I am encrypting it using machine Key:
<machineKey validationKey="02563BE791F7F0D2026A4BEC62A6F4062041796B48FB8105E28555E82834848D3C6D556C7B692AC71BB8F71FAACD6CE2E2435AC5D580645FEBEAEF6ABB6A34AB" decryptionKey="2509D534AB99251AB2E2FB01E67AC9CC11A476993D46AF67585206BEEF2930A6" validation="SHA1"
I want to Know that is it insecure to store email in cookie using this machine key ?
Nov 20, 2012 05:16 AM|LINK
Nov 20, 2012 05:22 AM|LINK
I am using Session but it keeps on expiring before the time so user logs out after it. This is why i am using cookie. Does the machine key encrypt my cookie ?
Nov 20, 2012 05:35 AM|LINK
By default yes, unless you configure your app to do otherwise. The default implementations will leverage the machinekey api. You can also manually call on the machinekey api and do it yourself (as I assumed you were doing from your original post). The machine
key will also be used for encrypting viewstate, etc.
Nov 20, 2012 05:43 AM|LINK
Like i am using machine key now and is it secure now ?
Nov 20, 2012 06:04 AM|LINK
Yes machine key is a very secure api, especially the .net 4.5 version :) although YOUR machinekey might not be secure having posted it's value in a public forum lol. I'd suggest changing it for safety sake. But yes, machine key api is definitely secure.
I still wouldn't suggest storing any sensitive information in a cookie though, just in case.
Nov 21, 2012 08:18 AM|LINK
You can increase the timeout of the session in the web.config. It will make you independent of thinking about cookies
<sessionState mode="InProc" cookieless="false" timeout="80" />
Nov 21, 2012 10:39 AM|LINK