[Mono-devel-list] System.Web.Security.FormAuthentication encryption?

Ilja Booij ibooij at gmail.com
Fri Oct 22 05:04:53 EDT 2004

Hi all,

I have a question on form authentication and encrypted cookies. I'm
working on a project in which we're an IIS ASP.Net server which uses
FormAuthentication. This sends a cookie to the user with some
information on the session. This cookie can be encrypted using 3DES,
with a key stored in machine.config on the IIS server.

Now, here comes the problem:

We'd like to be able to use this cookie on another, Non-IIS server
(perhaps XSP, mod_mono, or something else, still evaluating). What we
need is a way of using above mentioned cookie in this Non-IIS server
(we need to share the encryption key between servers).

I had figured that Mono would also implement this, but it turns out it
doesn't. From System.Web.Security. FormAuthentication.Encrypt():
      //TODO: encrypt and validate

the Decrypt() method makes no mention of decrypting the cookie. 
(this is from a snapshot of today, 2004-10-22). 

To solve my problem, I can do two things:
1. Implement this in Mono
2. Implement this in custom product.

the first options seems better to me, :) . However, I need information
on the exact way that .Net encrypts (and possible does other things)
with the cookie. Does anybody have this information. And is this
information that can be made public, or is it a Microsoft secret?

BTW, I'm pretty new to C#, but quite experienced in Java, C, C++ and
other programming languages. So far, C# syntax hasn't been a problem

thanks for your time,
Ilja Booij

More information about the Mono-devel-list mailing list