Menu
Looking here: https://msdn.microsoft.com/en-us/library/dtkwfdky.aspx
They encrypt the machineKey in the web.config as well as the ConnectionStrings.
Is this because, when using a custom machineKey per site, it will use the machine key to encrypt the connection string?
Or is the machine key just used for view state encryption? And therefore it's prudent to encrypt it to help protect the application?
536
MachineKey is used only to encrypt/decrypt/validate ASP.NET cookies and anti forgery tokens and it handles mostly USER data related security. MachineKey has nothing to do with decrypting configuration values. ASP.NET will not use MachineKey to decrypt connection string.
Infact MachineKey is as sensitive as connection string, because after obtaining it, someone can easily create an authenticated cookie which will allow them to login to any user. That's why it should be encrypted.
You have to encrypt MachineKey by yourself.
102
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
