Top Nguyen Blog
Keep Authenticate on Shared Hosting

Keep Authenticate on Shared Hosting

23 December, 2016
0 Comments
2 mins
215 words

I had been hosting a website on a shared hosting server. I have a "remember me" feature for the user but it hasn't worked and cookies expire every 30 minutes. So this post is my experience and the solution for this scenario.

The light-bulb moment was when I realized the problem didn't happen when I ran my site locally. I also remember that my site use the cookie to authenticate and it is built by ASP.NET Identity. So I don't think about coding issue, after research I got an information is Form Authentication uses the computer's machine key to encrypt and decrypt the Forms Authentication cookie. I wondered about "Could the machine key be changing over time on my shared hosting server?"

Of course, shared hosting use a frame of servers to host and handle many sites which each machine have a difference key.

So how to keep the old cookie for authenticating when hosting change machine for my site?

The simple solution is to fix machine key in web.config because the default value of it is auto generate depend on the machine already set by IIS.

In web.config just put machine key like below.

<system.web>
<machineKey
   validationKey="5B78B5D5AFCD4E6EE5D5C2068C1BE535F8E64B4A2B20A0EC379933F86132FFCCEB6802B26AC365CEF827D5ED2E716F9BA1A52C92B6A6E586B766ACA99BE51A6B"
   decryptionKey="6A4786B01591F2C441CDA694C00449DD6175B854391A6681"
   validation="SHA1"/>
...
</system.web>

See Microsoft document for machine key

You can generate validateKey and decryptionKey by IIS with specific algorithm

IIS Machine key

In IIS, search an open Machine Key.

IIS Machine Key - Generate Key

Note: Default value is auto generate is more security than fix key because auto generate is depend on the machine and no one knows what is the validate key or decrypt key. So if you use fix key and someone gets it, they can fetch your user information from the cookie.

Happy Coding!