By default, a machine key parameter is automatically created for each application (AutoGenerate, IsolateApps). MSDN states that the decryption key and the verification key are based on the identifier of the web application. I host two ASP.NET MVC 2 sites on my IIS 7 server, but find out that the machine key is the same. I checked this using reflection to see the ValidationKeyInternal and DecryptionKeyInternal property. I also tested it by creating an anti-counterfeit anti-virus cookie on one site and passing it to another, and the cookie can be read.
After trial and error, I found that the key will change if the application pool identifier changes. These two sites have the same keys, because they work under the credentials of the network service. As soon as I change the application pool identifier of one site, they begin to have different verification / encryption keys.
However, after deploying two sites on a different server, I always get the same machine keys even after changing the application pool identifier. These two servers have the same hardware and software configuration.
I would like to know if there is a link to the actual machine key creation logic in the AutoGenerate, IsolateApps settings. There are many articles on the Internet about installing the same machine key in a web farm script. But I ran into a problem on the opposite side. Creating an automatic key for each web application does not work properly. Does anyone have the same problem?
source
share