How to set machineKey on Azure Website

30
votes

I'm running an Azure Website. Whenever I deploy, everyone gets logged out because the machineKey changes.

I specified the machineKey in the web.config but this didn't solve the issue. I believe this is because Azure automatically overwrites the machineKey [1].

I've found a couple of similar questions here but the answers link to dead links.

So, what's the solution? Surely there's a way to keep users logged in regardless of deployments on Azure.

3
asp.netauthenticationazuremachinekey
A website hosted as a WebRole or via Azure Websites?Brendan Green
Are you sure its not usage of InProc session that gets your users logged out? We are using machineKey specified in web.config for cookie encryption on an Azure Website using autoscaling and we have no problems with changing machinekeys on either scaling up or on new deployments.jakobandersen
@miracledev I'm pretty sure InProc session isn't relevant here. Session state and authentication are handled differently. The user's encrypted session cookie contains everything needed to treat the user as logged in. No state is stored on the server.Mr. Flibble
@Mr.Flibble okay just checking the obvious, but as i said we use machineKey for encryption and we have no problems reading our encrypted data across deploys :)jakobandersen
is it under shared website?Akash Kava

3 Answers

23
votes

Try to reset the machine-key configuration section upon Application_Start:

protected void Application_Start()
{
    // ...

    var mksType = typeof(MachineKeySection);
    var mksSection = ConfigurationManager.GetSection("system.web/machineKey") as MachineKeySection;
    var resetMethod = mksType.GetMethod("Reset", BindingFlags.NonPublic | BindingFlags.Instance);

    var newConfig = new MachineKeySection();
    newConfig.ApplicationName = mksSection.ApplicationName;
    newConfig.CompatibilityMode = mksSection.CompatibilityMode;
    newConfig.DataProtectorType = mksSection.DataProtectorType;
    newConfig.Validation = mksSection.Validation;

    newConfig.ValidationKey = ConfigurationManager.AppSettings["MK_ValidationKey"];
    newConfig.DecryptionKey = ConfigurationManager.AppSettings["MK_DecryptionKey"];
    newConfig.Decryption = ConfigurationManager.AppSettings["MK_Decryption"]; // default: AES
    newConfig.ValidationAlgorithm = ConfigurationManager.AppSettings["MK_ValidationAlgorithm"]; // default: SHA1

    resetMethod.Invoke(mksSection, new object[] { newConfig });
}

The above assumes you set the appropriate values in the <appSettings> section:

<appSettings>
  <add key="MK_ValidationKey" value="...08EB13BEC0E42B3F0F06B2C319B..." />
  <add key="MK_DecryptionKey" value="...BB72FCE34A7B913DFC414E86BB5..." />
  <add key="MK_Decryption" value="AES" />
  <add key="MK_ValidationAlgorithm" value="SHA1" />
</appSettings>

But you can load your actual values from any configuration source you like.

1
votes

If Azure is rewriting your machineKey, you can't do much about it, as it is part of their infrastructure. However, there are other methods.

Override FormsAuthentication

This should not be difficult as you can easily look up for source code of FormsAuthentication and create your own logic and replace MachineKey with your own key stored in web.config or in your database.

Custom Authentication Filter

The simplest way would be to create a filter and check, verify, encrypt decrypt cookies in your filter. You need to do this on OnAuthorization method and create new instance of IPrincipal and set IsAuthenticated to true if descryption was successful.

OAuth

  1. Enable OAuth and create OAuthProvider. However you will need to host OAuthProvider on server that is in your control as that will need machineKey working.
  2. Enable Third Party OAuth, if you enable OAuth with Google, Facebook etc, it will be easy as user will be redirected to OAuth provider and they will continue to login automatically and a new session will be established.
0
votes

I had the same issue and in my case I was using the webdeploy to Azure wizard in VS13. I thought I was going crazy as I would set the machinekey in the web.config and then it would be changed on the deployed web.config to autogenerate. It is something in the webdeploy script/settings. My solution was to open the live azure site from within VS13 using the Server Explorer and then editing the web.config and saving changes. This preserved my settings with my supplied keys and all works fine.