stackoom
  简体   繁体   中英

Server is Able to Decrypt Forms Authentication Key Generated on my Local System

 原文  2012-08-23 06:17:42       asp.net/ security/ forms-authentication

Question

I am in .NET 4.0 paradigm and I noticed a scenario. My API was using FormsAuthentication.Encrypt method to create a token for the user. the problem is that if I run the API on localhost, call the api to get the key, I can use the same key on subsequent request to the server. Why is this happening? Is this desired behavior? Isn't it a security risk?

1 answers

solution1
 1 ACCPTED  2012-08-23 08:07:23

The problem was that we were overriding the machineKey value in our applications web.config. So both applications (running on local machine and server) were using same keys to encrypt and decrypt. Hence, it was possible for server to decrypt key encrypted by local machine and vice versa.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Windows Authentication in local system SSO Forms Authentication issue. Unable to decrypt authentication cookie Google server forms authentication Forms authentication and server time Is there a way to bypass forms authentication for local requests? Using Forms authentication with remote auth system? Windows Authentication/Forms Authentication? How best to design the system? my asp.net app session working in my local system , when I deploy on the remote server it is not working? forms authentication, not able to save web.config programmatically Forms Authentication Cookie not expiring on Server Shutdown/Failure
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM