Updates to default machineKey settings

When we launched application scaling more than a year ago one of the enabling features was that AppHarbor automatically injects a machineKey element in the application web.config unless one is already specified. Today, we're announcing changes to the default machinekey settings injected for applications running on .NET 4.0 and 4.5. The changes will be phased in a week from now, on November 14th. The changes are not breaking, but users may need to log back in to sites using ASP.NET Forms Authentication the first time they visit the site after a new version of the site is deployed.

AppHarbor has to inject the machineKey element because an application is scaled by deploying the app on multiple workers. To make sure that forms authentication cookies generated by one worker are also valid when received by other workers, the keys used to encrypt and validate the cookie have to match across workers. Previously, we would always specify SHA1 for the validation attribute of the machineKey element. We chose this setting because it works with all framework versions. The change we're introducing is to upgrade the default validation algorithm for .NET 4.0 and 4.5 applications to HMACSHA256, which is the default for those framework versions. The upgrade will cause previously issued forms auth cookies (and any data encrypted using the MachineKey helper) to become invalid and users will have to log back in to get a new cookie.

If you are running a .NET 4.0 or 4.5 application and you want to opt out of this change, simply add a machineKey element to your web.config that looks like this:

<machineKey validation="SHA1" />

AppHarbor will still inject validation and decryption keys, but the algorithm attribute will be left alone. If you're already specifying a valid (non-autogenerate) machineKey element, your application will not be affected by this change.

As always, if you don't want the hassle of dealing with Forms Authentication and the lack of control over the cookies issued, we recommend using AppHarbor.Web.Security

Tuesday, 6 November 2012

Read more posts »