It’s slightly less secure, but there are cases when you want to set the machine key, if login cookie is shared between sites, you want tokens to survive restarts, you are using a web farm, etc.
By default the validationKey and the decryptionKey keys are set to AutoGenerate which means the runtime will generate a random key for use. This would work fine for applications that are deployed on a single server.
If you use webfarms that have different Machine Keys, the cookies created on one machine won't be usable on the other. Hence you will have to hardcode the validationKey and the decryptionKey on all your servers in the farm with a manually generated key.
With Regards,
Fei Han
.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today.
None
0 Points
11 Posts
Machine Key
Sep 12, 2019 12:53 PM|samirkarim|LINK
Hello,
I have a Web application, and i use IIS. and i have a problem
When the application restart, there is an automaticlly Machine Key Genereted, and when i acces to the website, and Login, i have an Error :
The anti-forgery cookie token and form field token do not match
But if i Fix The Machine key By IIS (Generate Keys Button), i don't have this Error
I want to know If it's a mistake if i fix The Machine Key !!
Thank you
All-Star
58194 Points
15658 Posts
Re: Machine Key
Sep 12, 2019 02:09 PM|bruce (sqlwork.com)|LINK
None
0 Points
11 Posts
Re: Machine Key
Sep 12, 2019 02:57 PM|samirkarim|LINK
Sorry, Can you explain to me, i did not understand well
Contributor
5961 Points
2466 Posts
Re: Machine Key
Sep 12, 2019 05:26 PM|KathyW|LINK
You want a fixed machine key if you want the cookie match to survive restarts, and also if you are using a web farm.
It's not a mistake.
All-Star
40565 Points
6233 Posts
Microsoft
Re: Machine Key
Sep 13, 2019 04:47 AM|Fei Han - MSFT|LINK
Hi samirkarim,
By default the validationKey and the decryptionKey keys are set to AutoGenerate which means the runtime will generate a random key for use. This would work fine for applications that are deployed on a single server.
If you use webfarms that have different Machine Keys, the cookies created on one machine won't be usable on the other. Hence you will have to hardcode the validationKey and the decryptionKey on all your servers in the farm with a manually generated key.
With Regards,
Fei Han