[Mono-devel-list] System.Web.Security.FormAuthentication encryption?

Gonzalo Paniagua Javier gonzalo at ximian.com
Mon Oct 25 12:52:21 EDT 2004


On Fri, 2004-10-22 at 05:04, Ilja Booij wrote:
> Hi all,
> 
> I have a question on form authentication and encrypted cookies. I'm
> working on a project in which we're an IIS ASP.Net server which uses
> FormAuthentication. This sends a cookie to the user with some
> information on the session. This cookie can be encrypted using 3DES,
> with a key stored in machine.config on the IIS server.
> 
> Now, here comes the problem:
> 
> We'd like to be able to use this cookie on another, Non-IIS server
> (perhaps XSP, mod_mono, or something else, still evaluating). What we
> need is a way of using above mentioned cookie in this Non-IIS server
> (we need to share the encryption key between servers).
> 
> I had figured that Mono would also implement this, but it turns out it
> doesn't. From System.Web.Security. FormAuthentication.Encrypt():
>       //TODO: encrypt and validate
> 
> the Decrypt() method makes no mention of decrypting the cookie. 
> (this is from a snapshot of today, 2004-10-22). 
> 
> To solve my problem, I can do two things:
> 1. Implement this in Mono
> 2. Implement this in custom product.
> 
> the first options seems better to me, :) . However, I need information
> on the exact way that .Net encrypts (and possible does other things)
> with the cookie. Does anybody have this information. And is this
> information that can be made public, or is it a Microsoft secret?

It uses 3DES to (en|de)crypt. For an instesting example, see
http://weblogs.asp.net/mnissen/articles/23249.aspx.

-Gonzalo





More information about the Mono-devel-list mailing list