We have a scenario using asp.net Forms Authentication in a web farm and need to setup identical <machinekey />
sections on each servers .config file.
Is it better to store the <machinekey />
section in machine.config rather then web.config? what's the advantages and disadvantages of each approach concerning security?
<machineKey validationKey="[keyhere]"
decryptionKey="[keyhere]" validation="SHA1" />
If its not secure enough, is there any way to encrypt <machinekey />
section like we encrypt our connectionsstring (with DPAPI)? (http://msdn.microsoft.com/en-us/library/ms998280.aspx)
Best Regards Magnus