What Is Machine Key?
The machineKey element in the ASP.NET web.config file specifies the algorithm and keys that ASP.NET will use for encryption.
By default the validationKey and the decryptionKey keys are set to AutoGenerate which means the runtime will generate a random key for use. This works fine for applications that are deployed on a single server.
But, When you use webfarms a client request can land on any one of the servers in the webfarm. Hence you will have to hardcode the validationKey and the decryptionKey on all your servers in the farm with a manually generated key.
The value is stored locally in the web.config of that application. Below is the sample code.
<configuration>
<system.web>
<machineKey
decryption="AES"
validation="SHA1"
decryptionKey="Decryption key goes here"
validationKey="Validation key goes here"
/>
</system.web>
</configuration>
What Is The Use Of Machine Key In IIS?
Machine key is a unique key that differentiates one computer from others. And this key is used to create unique identifier when cookie is created in the client machine from a server side code.
This key is generally present in the machine.config file when you install .NET framework that is generally not visible to the user as it remains in the .NET Framework installation directory.
When you specify the same key in your web.config, the value of machine key specified in the machine.config is overridden by the one you have specified in the web.config file.
Further Reading
-
Replace the ASP.NET machineKey in ASP.NET Core - The implementation of the <machineKey> element in ASP.NET is replaceable. This allows most calls to ASP.NET cryptographic routines to be routed through a replacement data protection mechanism, including the new data protection system.
-
Setting the Validation and Decryption Keys - The encryption and hashing algorithms used by the forms authentication system to encrypt and validate the authentication ticket are customizable through the <machineKey> element in Web.config. This microsoft doc outlines the <machineKey> element’s attributes and their possible values.
-
Professional ASP.NET 2.0 Security, Membership, and Role Management - Refer this book for an in-depth look at these issues, including guidance on what encryption and validation algorithms to use, what key lengths to use, and how best to generate these keys.