ASP.NET machineKey config section default location

Andrew Bullock picture Andrew Bullock · Sep 21, 2010 · Viewed 35.8k times · Source

Where do I find the machineKey config section for ASP.NET?

I don't have one in my application Web.config, there isn't one in the root Web.config and there isn't one in my machine.config.

Does this mean there is some other default hardcoded into ASP.NET? If so, what are the defaults? (For .NET 2 and 4)

Having read this: http://msdn.microsoft.com/en-us/library/w8h3skw9.aspx

i was expecting to find something like this, somewhere:

<machineKey 
    validationKey="AutoGenerate,IsolateApps" 
    decryptionKey="AutoGenerate,IsolateApps" 
/>

Edit: the 1.1 docs seem fairly clear wrt default values: http://msdn.microsoft.com/en-us/library/w8h3skw9(VS.71).aspx but the 4 docs are rather ambiguous http://msdn.microsoft.com/en-us/library/w8h3skw9.aspx

Answer

Jagmag picture Jagmag · Sep 21, 2010

machineKey is situated under System.web entry in web.config

Refer MSDN link for web.config Schema.

If you dont see it in your web.config, you can just add it there.

From MSDN again :-)

To provide tamper proof ViewState, a hashed message authentication code (HMAC) is generated from the ViewState content and the hash is compared on subsequent requests. The validation attribute of the indicates which hashing algorithm to use, and it defaults to SHA1, which uses the HMACSHA1 algorithm. Valid choices for hashing include SHA1 or MD5, although SHA1 is preferable because it produces a larger hash and is considered cryptographically stronger than MD5. The validationKey attribute of is used in conjunction with the ViewState content to produce the HMAC. If your application is installed in a Web farm, you need to change the validationKey from AutoGenerate,IsolateApps to a specific manually generated key value.

The default settings for the <pages> and <machineKey> elements are defined in the machine-level web.config.comments file.

For machineKey, they are

<machineKey validationKey="AutoGenerate,IsolateApps"  
            decryptionKey="AutoGenerate,IsolateApps" 
            validation="SHA1" decryption="Auto" />

EDIT : For .NET 4.0 the default algorithm has been changed to SHA256 I think that the easiest way of finding the defaults is to see the entry in the MSDN for this config value.

MSDN 4.0 for machinekey is as below. The values selected are the default values. The values in [] are the other optional values that the field can take. I remember reading someplace this is the typical way in MSDN of denoting defaults for the config values.

<machineKey 
  validationKey="AutoGenerate,IsolateApps" [String]
  decryptionKey="AutoGenerate,IsolateApps" [String]
  validation="HMACSHA256" [SHA1 | MD5 | 3DES | AES | HMACSHA256 | 
    HMACSHA384 | HMACSHA512 | alg:algorithm_name]
  decryption="Auto" [Auto | DES | 3DES | AES | alg:algorithm_name]
/>