Decrypting ASP.NET Auth Cookie Value without FormsAuthentication.Decrypt Method - asp.net

I try to read / decrypt the value of an auth cookie from forms authentication that is written in AES but without setting the MachineKey in the web.config because I cannot modify this config myself.
Therefore I can't use FormsAuthentication.Decrypt because this uses the machine key internally.

You didn't specify the ASP.NET version but in 2.0 and I think still in 4.0, you can override the machineKey in your web.config.
Check out the section "Web Farm Deployment Considerations".
http://msdn.microsoft.com/en-us/library/ff649308.aspx#paght000007_webfarmdeploymentconsiderations
You can generate a machine key online with this tool: http://aspnetresources.com/tools/machineKey

Related

asp.net identity expire bearer token after 20 min

i have a web service, users can login to service and give bearer token.
in local everything is good, but in server (shared host, windows 2012, iis 8.5) after 20 min, token has been expired !!!
my AccessTokenExpireTimeSpan is :
AccessTokenExpireTimeSpan = TimeSpan.FromDays(900),
also in my first request, i give a delay about 5 sec. what is problem ?
I asume that you in production have multiple servers. And ASP.NET Identity is using the server's machine key to generate the token bearer. So after 20 minutes you have been "redirected" to another server with another machine key.
One solution is to override the machine key of the servers. With setting the machine key in the web.config. So all servers has the same machine key.
<machineKey validationKey="534766AC57A2A2F6A71E6F0757A6DFF55526F7D30A467A5CDE102D0B50E0B58D613C12E27E7E778D137058E" decryptionKey="7059303602C4B0B3459A20F9CB631" decryption="Auto" validation="SHA1"/>
How to generate and set machine keys:
https://technet.microsoft.com/sv-se/library/cc755177%28v=ws.10%29.aspx
http://docs.orchardproject.net/Documentation/Setting-up-a-machine-key
Solution 2 - If don't have access to IIS
If you dont' want to modify the machineKey on the IIS or doesn't have access to it you can ovveride ASP.NET Identity token provider easily by ovveriding the default settings in the startup.cs file.
An example of that can you find here: https://github.com/eashi/Samples/blob/master/OAuthSample/OAuthSample/App_Start/Startup.Auth.cs

how to export auto generated machine key

I have been using owin oauth bearer tokens for web.api authentication. I had only a single server. I never needed to custom generate a machine key. Right now, I need to move to a web farm behind a load balancer. I dont want my current users' bearer tokens to become invalid when I move to the farm. How do I export an auto generated machine key, and import to to another server?
The configuration file deployed on each server must have the same machine key. Some reference here.
Basically you have to copy this section to the other servers' config file:
<machineKey validationKey="A970D0E3C36AA17C43C5DB225C778B3392BAED4D7089C6AAF76E3D4243E64FD797BD17611868E85D2E4E1C8B6F1FB684B0C8DBA0C39E20284B7FCA73E0927B20" decryptionKey="88274072DD5AC1FB6CED8281B34CDC6E79DD7223243A527D46C09CF6CA58DB68" validation="SHA1" decryption="AES" />
It's always best to use a script to generate your own machine keys.

Forms Authentication SSO - Why does User.Identity.IsAuthenticated == false

I'm trying to set up SSO on two separate IIS web sites (with a common domain) using Forms Authentication. I'm using the common approach of setting the auth cookie to the common domain and using matching machine key to enable decryption.
This works with no issues on test sites that I created. However, when trying to implement this in a legacy Web Forms site, I'm running into something that I don't understand.
When I log into one site, the test code on the second site has the following results:
var cookie = FormsAuthentication.GetAuthCookie("username", false); // works
var ft = FormsAuthentication.Decrypt(cookie.Value); // returns correct info
var isAuthentication = User.Identity.IsAuthenticated; // false
As an added bonus, whenever I sign in one site the other gets signed out (happens both ways.)
There must be something fundamental that I'm missing here.
Why is User.Identity.IsAuthenticated set to false, even though the FormsAuthentication ticket seems to be decrypting with no issues?
UPDATE: as pointed out below - FormsAuthentication.GetAuthCookie is not a valid way to obtain the existing auth cookie. Which brings me to this: I can see the top domain cookie in the browser, but it doesn't show up in the request. I suspect this is where the problem is occuring.
Solution: Both sites were not targeting the same version of .Net Framework as specified by the web.config:
<httpRuntime targetFramework="4.5" />
<compilation debug="true" targetFramework="4.5" />
Updating both sites to target the same framework fixed the problem.
The GetAuthCookie creates a new cookie:
http://msdn.microsoft.com/en-us/library/vstudio/3fay1e4k(v=vs.100).aspx
Creates an authentication cookie for a given user name. This does not set the cookie as part of the outgoing response, so that an application can have more control over how the cookie is issued.
No wonder it works, it doesn't look into the existing cookie.
My theory is that you have your new sites on an x64 machine and the legacy website sits in an x86. The encryption differs in such scenario even if keys are the same. Another possible reason is a different version of .net as the encryption algorithm has been changed in .net 4.

Is my machine key auto-generated or isolated?

I'm attempting to share .ASPXAUTH cookies between an ASP.NET MVC 4 application (in IIS 7.5) and a service using HttpListener on the same host.
The browser presents the cookies to both correctly, but my service receives System.Web.HttpException: Unable to validate data. at FormsAuthentication.Decrypt, which I would expect if the two applications were using different machine keys.
So: how do I find out if my machine is configured to use different machine keys?
the default setting of IIS is autogenerate machine-key and isolate per application
you can change this setting globaly in your machine.config or localy (per application) in your web.config
for details please see
http://technet.microsoft.com/en-us/library/cc772287(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc754909(v=ws.10).aspx
You can see the current setting for machine-key in IIS manager. For details, see http://blogs.msdn.com/b/amb/archive/2012/07/31/easiest-way-to-generate-machinekey.aspx

ViewState Encryption in ASP.Net

Why is it that I see the same hash value generated when I use different algorithms for viewstate encryption.
I have added below lines to the web.config file
pages viewstateEncryptionMode="Always" enableViewStateMac="true".../>
machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="AES" decryption="Auto" />
Also, compilation debug="false" ... > is set.
No matter what I use (AES, MD5, SHA1, 3DES), it generates the same hash. Is there something I am missing out.
Please let me know.
-Thanks
Here is an article on Encrypting Viewstate. It's for ASP.Net 2.0. which should be fine for 3.5.
Via P&P on MSDN:
Forms authentication defaults to SHA1
for tamper proofing (if or
,
then forms authentication hashes the
forms authentication ticket by using
either MD5 or HMACSHA1 (HMACSHA1 is
used even if validation is set to AES
or 3DES). Forms authentication then
encrypts the ticket using the
algorithm specified in the decryption
attribute. (The decryption attribute
was introduced in ASP.NET 2.0.)
Therefore, theoretically, only SHA1 and MD5 should differ in the hash that is produced.

Resources