Wednesday, January 27, 2010

DecryptionKey & ValidationKey - Generation



I discussed once (May 2007) sharing keys while using ‘Forms Authentication Across Applications’

The discussion was about sharing the same authentication keys Across Applications Located On The Same Or Different Web Servers in the same domain.


In the topic we discussed when need to share the same authentication cookie across separate web servers, then you need to specify the decryptionKey and validationKey manually.

You cannot allow the ASP.NET Framework to generate these keys automatically because you need to share the keys across the different web servers.


  validationKey="61A8E04A146AFFAB81B6AD19654F99EA7370807F18F5002725DAB98B8EFD19C711337E269.... " />


You can use the below code to generate these random character sequences for you.



When using AES, you need to set the decryption key to a random sequence of 64 hex characters.

When using SHA1, you need to set the decryption key to a random sequence of 128 hex characters.


using System;

using System.Text;

using System.Security;

using System.Security.Cryptography;


class App {

  static void GetSequence(string argv, int len)


    byte[] buff = new byte[len/2];

    RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();


    StringBuilder sb = new StringBuilder(len);

    for (int i=0; i<buff.Length; i++)

      sb.Append(string.Format("{0:X2}", buff[i]));





The above code sample is based from an article entitled "How To: Configure MachineKey in ASP.NET 2.0," located at the Microsoft MSDN website (


Hope this helps.



Arun Manglick


Disclaimer: The information contained in this message may be privileged, confidential, and protected from disclosure. If you are not the intended recipient, or an employee, or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.

No comments:

Post a Comment