I've read that you need to put unique machinekeys in your web.config. Like this: <system.web> <httpRuntime executionTimeout='700'/> <machineKey validationKey='EFB6BblahblahklasdjfkljaklsdfC07442F15FA33E65F5235877FF3ECDC934E08B5421E25EEA' decryptionKey='2C16C475CjklsadfjljasfdklasjfD25B23AD87' validation='SHA1'/> I've got a question though: If you have multiple accounts at discountasp.net could two web apps with the same machinekey ever create a problem? Thanks, Robert
This is something I've been meaning to look into. Maybe one of the DASP crew can give some inside tips for this. I think if we use a custom MachineKey it only applies to the current ASP.NET Application. As in the case of Applications created for directories. But I'm not sure about that.
Well this kind of goes in line with me wondering about what is actually happening out there. I understand we are on some sort of web farm but right there my knowledge and experience start to slip. From what I've gathered (and please take my disclaimer that this could all be wrong) I think that every request could go out to a different server at Discountasp.net and that is why we need the machinekey in the first place. (otherwise you can get those viewstate validation errors) If DASP hops on this thread I would love a better explanation of the hosting infrastructure and what is happening request to request. (Obviously if something proprietary is going on then skip that part) Thanks and I look forward to what we can learn on this thread!
The info from the link below isinteresting/helpful but still doesn't answer the question: http://msdn2.microsoft.com/en-us/library/system.web.configuration.machinekeysection.aspx
Chances are that your sites will be on different servers. To ensure there's no conflict, you should generate a unique key for each application. Bruce DiscountASP.NET www.DiscountASP.NET
Thanks Bruce, any word on the 'web farm' details? It'd be helpful to know how it's actually working... Is there just a bunch of windows boxes with separate application pools or can requests really go to more than one server?
I think we should do a Promo video for DASP regarding this. It's something a lot of new developers overlook.
We do not host on webfarm. In general, you don't find many shared hosting companies that host in a clustered environment. The main reason is that it complicate things a lot for the end user. In most situation, you'll need to configure your application in a certain way for it to work properly on a webfarm. For example, you HAVE to use SQL session and unique machine key and if you perform file I/O w/ your app, the developer need to take file lock into consideration. Bruce DiscountASP.NET www.DiscountASP.NET
Bruce, thanks for taking the time to answer this thread. I'm glad I don't have to worry about those issues :- ) I think if I can get a web deployment project subbing in a different machinekey depending on the configuration setting then I'll be safe no matter what.
Going back to the original question, I don't think that using the same machineKey among multiple sites/applications will cause a problem. Its purpose is for encryption/decryption. It's more of a security precaution that you don't use the same key just in case someone gets a hold of it. The reason why it is advisable to use your own custom machineKey is because one gets randomly generated everytimethe site's application processisrecycled. Using a constant machineKey allows encrypted data to stay valid in the event of a recycle. For example,form authentication cookies are encrypted using the machineKey. After a recycle, cookies that were created using the old machineKey will no longer be valid and the user gets logged out. With a constant machineKey, the login status of the user will persist between recycles. Oh, and IIS7 makes it easier to generate a machineKey. It is a feature of the IIS7 Manager. Aristotle DiscountASP.NET www.DiscountASP.NET
