Should I change the machinekey?

Post here for help with installing or upgrading mojoPortal pre-compiled release packages. When posting in this forum, please provide all relevant details. You may also want to review the installation or upgrading documentation.

If you have questions about using the source code or working with mojoPortal in Visual Studio, please post in the Developer forum.

Post here for help with installation of mojoPortal pre-compiled release packages

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.

You may also want to review the installation or upgrading documentation.

If you have questions about using the source code or working with mojoPortal in Visual Studio, please post in the Developer forum.

This thread is closed to new posts. You must sign in to post in the forums.
9/18/2010 11:08:36 AM
Gravatar
Total Posts 249

Should I change the machinekey?

After reading the latest news about ASP.NET security, I realized that I did not change the machinekey - it is still the default value.

It is that a problem?

9/18/2010 11:16:22 AM
Gravatar
Total Posts 18439

Re: Should I change the machinekey?

Yes definitely you should, but see this document because if you are using encrypted or hashed passwords it will lock you out if you change it.

http://www.mojoportal.com/use-a-custom-machine-key.aspx

in any case it will log you out when you change it but you won't be able to get in again if your password was encrypted with the default key.

9/18/2010 11:40:49 AM
Gravatar
Total Posts 249

Re: Should I change the machinekey?

awesome, that means that I cannot change the machinekey as my passwords are hashed

the funny story is that i have a many of "userless" installations with an univoque machinekey, except the biggest one that has the default one

i have to find a funny way to explain my users that for my fault they have to recover their password using the secret question....

9/18/2010 11:45:23 AM
Gravatar
Total Posts 18439

Re: Should I change the machinekey?

I'm not 100% sure about hashed whether it uses the machine key or not, maybe try it on a copy and see what happens if you leave it as hashed or change the machine key then change back if it doesn't work, let me know if it does or not so I can know for sure.

note that it will log out everyone when you change the machine key

9/18/2010 11:50:39 AM
Gravatar
Total Posts 18439

Re: Should I change the machinekey?

The other thing you could do is if you do it on a copy first not the live site, after you change it to clear text you could back up that data and extract what you need for a mail merge and tell the users that a security upgrade required resetting their passwords, you could include the new clear text password in the email and ask them to login and change it to something personal rather than system generated.

then go on with changing back to hashed, the passwords that you now have in the backup will still be clear text.

9/18/2010 2:38:47 PM
Gravatar
Total Posts 249

Re: Should I change the machinekey?

it's possible to put the machinekey in the user.config for easier upgrades?

I am trying and I get an error 500 telling me that the element is not recognized

i tried to put the machinekey inside <system.web></system.web>  but still no luck

9/18/2010 2:58:47 PM
Gravatar
Total Posts 249

Re: Should I change the machinekey?

what about who signed with openid? the password won't change for them, but converting from hashed to clear text will give a random password also to them

it will be a problem?

9/18/2010 5:19:45 PM
Gravatar
Total Posts 249

Re: Should I change the machinekey?

I solved sending an automated email to all my users with this buggy code, anyone can copy&use:

(be careful, this code is dangerous)

protected void Page_Load(object sender, EventArgs e)
    {
        MySqlConnection stringaconnessionemysql = new MySqlConnection(
        "server=localhost; user id=****; password=***; database=mojo; pooling=false;");
        String strSQLliv = "SELECT `Name`,`Email`,`Pwd` FROM `mp_users` WHERE `OpenIDURI`= ''";
        string[,] strClientData = new String[3000,3];
        MySqlCommand dbcClientData = stringaconnessionemysql.CreateCommand();
        MySqlDataReader dbrClientData;
        dbcClientData.CommandText = strSQLliv;
        stringaconnessionemysql.Open();
        //execute the reader, thus retrieving the data
        dbrClientData = dbcClientData.ExecuteReader();

        if (dbrClientData.HasRows)
{
int i=0;
while (dbrClientData.Read())
{
strClientData[i,0] = dbrClientData.GetString(0);
strClientData[i,1] = dbrClientData.GetString(1);
strClientData[i,2] = dbrClientData.GetString(2);
SmtpClient client = new SmtpClient();
client.DeliveryMethod = SmtpDeliveryMethod.Network;
client.EnableSsl = true;
client.Host = "smtp.gmail.com";
client.Port = 587;

// setup Smtp authentication
System.Net.NetworkCredential credentials =
new System.Net.NetworkCredential("****", "****");
client.UseDefaultCredentials = false;
client.Credentials = credentials;
MailMessage msg = new MailMessage();
msg.From = new MailAddress("*****");
msg.To.Add(new MailAddress("strClientData[i,1]"));

msg.Subject = "your subjectt";
msg.IsBodyHtml = true;

msg.Body = string.Format("<html><head></head><body>hello, <b>" + strClientData[i, 0] + "</b>, your new password is: " + strClientData[i, 2]);
client.Send(msg);
i++;
}
}

9/18/2010 5:25:40 PM
Gravatar
Total Posts 18439

Re: Should I change the machinekey?

unfortunately the only thing user.config can override is the <appSettings section

In fact you can see how it works if you look at Web.config

<appSettings file="user.config">

so user.config is an arbitrary name, you could save it as somethinghardertoguess.config and then change the setting in Web.config to point to your custom file. Actually a good idea from a security perspective but one more thing to maintain.

unfortunately a custom machine key is also something one has to maintain in web.config over upgrades.

yes, there is a little good news for users who registered through RPX. mojoPortal does create an internal random password for those users but they don't need it since they authenticate against RPX openid service. They "could" use that password if they knew about it and login directly but typically they don't know that and only login via RPX, so they are much less likely to notice anything about the change to machine key, other than they will have to login again because their cookie will not be valid after changing the machine key.

Best,

Joe

9/21/2010 7:03:09 AM
Gravatar
Total Posts 18439

Re: Should I change the machinekey?

fyi, I've been told by someone who tried it that changing the machine key works ok with hashed passwords, so you only need to decrypt before changing it if using encrypted passwords.

Best,

Joe

9/21/2010 4:43:03 PM
Gravatar
Total Posts 249

Re: Should I change the machinekey?

i can confirm that too sad

You must sign in to post in the forums. This thread is closed to new posts.