Web Farm and <machineKey>

[Kevin Burton]

I have a Web Farm and I understand that in order to keep
ViewState safe I want to modify the <machineKey>.

1) The documentation indicates that EnableViewStateMac
defaults to "false" but I am seeing View State corruption
messages (as a result of HttpException). Can the View
State be detected as corrupt without the MAC validation?

2) I see some examples of some keys that I can use for
validation and encryption. Is there a utility that I can
use to generate a key? Yes, I understand that the same key
has to be on each member of the Web farm. I would just
like to generate my own key.

3) Is the default to encrypt and hash or just hash or none?

Thank you.

Kevin
[email]rkevinburton@charter.net[/email]

[Teemu Keiski]

Hi,

1. Docs are incorrect here. enableViewStateMac="true" is the default.

2. [url]http://www.eggheadcafe.com/articles/20030514.asp[/url]

3. By default both validationKey and decryptionKey are autogenerated which
means both techniques are applied as well.

You could also take a peek at docs about <machineKey> though the article at
answer 2) covers those also.
[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/html/gngrfmachinekeysection.asp[/url]

--
Teemu Keiski
MCP, Microsoft MVP (ASP.NET), AspInsiders member
ASP.NET Forum Moderator, AspAlliance Columnist

"Kevin Burton" <anonymous@discussions.microsoft.com> wrote in message
news:033901c39f32$08cf2440$a401280a@phx.gbl...

> I have a Web Farm and I understand that in order to keep
> ViewState safe I want to modify the <machineKey>.
>
> 1) The documentation indicates that EnableViewStateMac
> defaults to "false" but I am seeing View State corruption
> messages (as a result of HttpException). Can the View
> State be detected as corrupt without the MAC validation?
>
> 2) I see some examples of some keys that I can use for
> validation and encryption. Is there a utility that I can
> use to generate a key? Yes, I understand that the same key
> has to be on each member of the Web farm. I would just
> like to generate my own key.
>
> 3) Is the default to encrypt and hash or just hash or none?
>
> Thank you.
>
> Kevin
> [email]rkevinburton@charter.net[/email]
>

[Imtiaz Hussain]

The purpose of the View State MAC feature is to make it impossible for
clients to send a request containing malicious View State. This feature is
enabled by default, via the enableViewStateMac="true" flag in your
machine.config. The simplest way to determine whether the issue you are
dealing with is related to the MAC is to turn off the feature, by setting
enableViewStateMac="false". If you no longer get View State errors, then
the problem is MAC related.

The viewstate error can be caused due to an underlying exception not being
handled properly.

One of the prominent causes of this error in a web farm environment is the
fact that the validation key is left as AutoGenerate.
In a Web Farm, each client request can go to a different machine on every
postback. Because of this, you cannot leave the validationKey set to
'AutoGenerate' in machine.config. Instead, you must set it to a fixed
string that is shared among all the machines on the Web Farm.


The following article tells you how to create the keys.
313091 HOW TO: Create Keys by Using Visual Basic .NET for Use in Forms
[url]http://support.microsoft.com/?id=313091[/url]

Hope this helps.
Imtiaz Hussain.