Session cookie encryption key

Apr 11, 2010 at 1:05 PM

On page 128, it says the default cookie encryption key used is a DPAPI key stored in the user profile of the application pool account. Can this key be used in a DMZ web farm scenario or are there any issues with it, for example one node being unable to decrypt a cookie encrypted by another node on the farm? If there are no issues, is DPAPI secure enough in a DMZ?

If DPAPI cannot be used for web farms, is the alternative suggested which is to use RSA keys a good idea in terms of security when the web farm is in the DMZ as the keys could be stolen if the web farm is compromised?

Which approach provides the best security?

Many thanks

Coordinator
Apr 11, 2010 at 1:06 PM
Have a look here: http://www.leastprivilege.com/WCFWIFAndLoadBalancingAndABitOfAzure.aspx
Apr 11, 2010 at 5:57 PM

Thanks Dominick. In your blog you say that DPAPI key can be used for cookie encryption if all nodes on the farm are joined up to a domain and application pool user account has roaming profile enabled. However, this kb (Http://support.microsoft.com/kb/309408) says, under the section "DPAPI and roaming profiles" that this might not work if the user account is logged onto multiple nodes. Is this true? Please could you confirm?

Am I right in thinking that as the SSL key and the token decryption key anyway need to be stored on the web farm in the DMZ, it won't be any more riskier to store another private key on this farm for cookie encryption?

Many thanks

Coordinator
Apr 15, 2010 at 7:11 AM

Actually I have never tried it since I never had the luxury of a domain in the DMZ ;)

Token decryption keys must be deployed to every node in your cluster anyways - I would either use this key - or deploy another key.

Apr 18, 2010 at 1:23 PM

Thanks.