Last post Apr 03, 2015 02:35 PM by sudip_inn
Mar 29, 2015 04:07 AM|sudip_inn|LINK
i heard that form auth cookie is digitally signed. so i like to know in details what is the meaning of digitally signed cookie. what technique asp.net used to signed a cookie digitally?
suppose if i want to digitally signed my own cookie then what are the steps i need to follow?
where the salt keyword stored which asp.net engine used to encrypt form auth cookie ?
can we change that salt keyword ?
please see the below code for form auth cookie generation
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1,
// add cookie to response stream
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
System.Web.HttpCookie authCookie = new System.Web.HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
authCookie.Expires = authTicket.Expiration;
i heard that user name is stored in form auth cookie as a hash value but if u see the above code then can realize all authticket is getting encrypted and stored in cookie.
where Hash is generating ?
Mar 29, 2015 04:45 AM|vikasrulez|LINK
FormsAuthentication uses Rijndael algorithm with the Machine key as salt keyword for encryption. You can add your own machine in key web.config file inside <system.web> tag
You can generate machine key in IIS manager:
Mar 29, 2015 04:57 AM|sudip_inn|LINK
what is the meaning of digitally signed cookie ? i need to understand digitally signed things in details.
Mar 29, 2015 05:38 AM|vikasrulez|LINK
Mar 30, 2015 04:03 AM|sudip_inn|LINK
i need to know the concept in details about digitally signed meaning. thanks
Apr 02, 2015 03:19 PM|vikasrulez|LINK
Digitally signed cookie is only a reference to secured cookies. A cookie normally contains data in flat string format which can be accessed/modified on each browser by anyone. A digitally signed cookie is encrypted with the help of a salt keyword to secure
the information. The links I provided above describes the same.
The concept is basically encrypt the string data of cookie before adding it to the response cookie container or browser. AES is the strongest encryption available publicly that works with a salt keyword. To make it more stronger its recommended multiple
encryption, each with unique salt keyword.
Apr 03, 2015 02:35 PM|sudip_inn|LINK
u try to say digitally signed mean encrypted data........if it is so then people can say encrypted cookie why they use the word digitally signed?
i guess digitally signed means some more extra security.