Ask a Question related to ASP.NET Security, Design and Development.
-
Robert Millman #1
Encryption of Authentication Ticket
i have a question regarding the encryption of an Authentication Ticket under FormsAuthentication. Can anyone tell me what type of encryption is used and what key(s) is it based on? I simply want to know that the encryption is specific to the machine and possible the ASP.NET application and cannot be decrypted by someone who has access to the .NET framework and can put the ticket through the FormsAuthentication.Deccrypt method
Thank
Robert Millman
Robert Millman Guest
-
Form Authentication Ticket
I've read some books and online articles on how to implement form authentication. Some taught me just to do... -
Change authentication ticket value at run time?
Hi, what am I doing wrong ? there is 2 levels of user accessing the application:'Admin' and 'NoneAdmin'. I'm using role based authentication. ... -
Why authentication Ticket expires
Can anybody tells if I'm doing something wrong in this code and why the user authentication ticket always expires 30 minutes later, even though I... -
Authentication ticket, cookieless, forms authentication?
Hi. I want to use Forms Authentication, cookieless. The issue is setting the Authentication Ticket without using cookies (!) That is, the... -
Custom Authentication Ticket
James, I found your C code and tutorial about this. I attempted to convert it to VB as follows but could you possibly tell me why the code segment... -
Hernan de Lahitte #2 Re: Encryption of Authentication Ticket
Forms Auth encrypts the ticket with 3DES by default and use a random
generated key stored in the LSA. If you wish, you can specify a base 64
encoded key in the <machineKey> element of the machine.config file or your
web.config file. (see decryptionKey attribute). In fact, the encryption key
is hashed with some extra timestamped entropy values in order to get
increased security against replay attacks and the like. You can find more
info about <machineKey> in
[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/html/gngrfmachinekeysection.asp[/url].
You also have good tips in
[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/THCMCh19.asp[/url]
--
Hernan de Lahitte
Lagash Systems S.A.
[url]http://www.lagash.com[/url]
"Robert Millman" <RMillman@AllscriptsOL.com> wrote in message
news:A9E7E207-2174-491A-8293-E3474475C0F8@microsoft.com...under FormsAuthentication. Can anyone tell me what type of encryption is> i have a question regarding the encryption of an Authentication Ticket
used and what key(s) is it based on? I simply want to know that the
encryption is specific to the machine and possible the ASP.NET application
and cannot be decrypted by someone who has access to the .NET framework and
can put the ticket through the FormsAuthentication.Deccrypt method.>
> Thanks
>
> Robert Millman
Hernan de Lahitte Guest
-
Robert Millman #3 Re: Encryption of Authentication Ticket
Thanks for answering my question. As I understand it, the ticket cannot be decrypted without the key, which is local/specific to the machine/config/app
Thank
Robert Millman Guest
-
Hernan de Lahitte #4 Re: Encryption of Authentication Ticket
You are right. The exception is if you specify a decryptionKey in the
machineKey element of the config file, usually in web farm scenarios.
--
Hernan de Lahitte
Lagash Systems S.A.
[url]http://www.lagash.com[/url]
"Robert Millman" <RMillman@AllscriptsOL.com> wrote in message
news:F552145C-9C52-4EDD-9B2B-D903AA2191C5@microsoft.com...be decrypted without the key, which is local/specific to the> Thanks for answering my question. As I understand it, the ticket cannot
machine/config/app.>
> Thanks
>
>
Hernan de Lahitte Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
