Are there any security risks when specifing the machine key in the web.config on a web farm?
Add a comment |
1 Answer
If someone gets to read the machine key that can be an issue. One clear example is that it is used to check that the viewstate haven't been tampered with. Anyone who has the key can bypass that.
See http://msdn.microsoft.com/en-us/library/dtkwfdky.aspx#, it explains how to encrypt it.
Oh, and worst the forms authentication uses it - see Uses for MachineKey in ASP.NET
That said, it is an understandable issue when there is a key. If you someone gets it, that is a problem. If you try to protect, well, you need another key (even if that is hidden). Also, someone gets it there in the first place.
