Should I change the machinekey?

Post here for help with installing or upgrading mojoPortal pre-compiled release packages. When posting in this forum, please provide all relevant details. You may also want to review the installation or upgrading documentation.

If you have questions about using the source code or working with mojoPortal in Visual Studio, please post in the Developer forum.

Post here for help with installation of mojoPortal pre-compiled release packages

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.

You may also want to review the installation or upgrading documentation.

If you have questions about using the source code or working with mojoPortal in Visual Studio, please post in the Developer forum.

This thread is closed to new posts. You must sign in to post in the forums.
9/18/2010 11:08:36 AM
Magnetic_dud
Gravatar
Total Posts 251
View Posts

Should I change the machinekey?

After reading the latest news about ASP.NET security, I realized that I did not change the machinekey - it is still the default value.

It is that a problem?

9/18/2010 11:16:22 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Should I change the machinekey?

Yes definitely you should, but see this document because if you are using encrypted or hashed passwords it will lock you out if you change it.

http://www.mojoportal.com/use-a-custom-machine-key.aspx

in any case it will log you out when you change it but you won't be able to get in again if your password was encrypted with the default key.

9/18/2010 11:40:49 AM
Magnetic_dud
Gravatar
Total Posts 251
View Posts

Re: Should I change the machinekey?

awesome, that means that I cannot change the machinekey as my passwords are hashed

the funny story is that i have a many of "userless" installations with an univoque machinekey, except the biggest one that has the default one

i have to find a funny way to explain my users that for my fault they have to recover their password using the secret question....

9/18/2010 11:45:23 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Should I change the machinekey?

I'm not 100% sure about hashed whether it uses the machine key or not, maybe try it on a copy and see what happens if you leave it as hashed or change the machine key then change back if it doesn't work, let me know if it does or not so I can know for sure.

note that it will log out everyone when you change the machine key

9/18/2010 11:50:39 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Should I change the machinekey?

The other thing you could do is if you do it on a copy first not the live site, after you change it to clear text you could back up that data and extract what you need for a mail merge and tell the users that a security upgrade required resetting their passwords, you could include the new clear text password in the email and ask them to login and change it to something personal rather than system generated.

then go on with changing back to hashed, the passwords that you now have in the backup will still be clear text.

9/18/2010 2:38:47 PM
Magnetic_dud
Gravatar
Total Posts 251
View Posts

Re: Should I change the machinekey?

it's possible to put the machinekey in the user.config for easier upgrades?

I am trying and I get an error 500 telling me that the element is not recognized

i tried to put the machinekey inside <system.web></system.web>  but still no luck

9/18/2010 2:58:47 PM
Magnetic_dud
Gravatar
Total Posts 251
View Posts

Re: Should I change the machinekey?

what about who signed with openid? the password won't change for them, but converting from hashed to clear text will give a random password also to them

it will be a problem?

9/18/2010 5:19:45 PM
Magnetic_dud
Gravatar
Total Posts 251
View Posts

Re: Should I change the machinekey?

I solved sending an automated email to all my users with this buggy code, anyone can copy&use:

(be careful, this code is dangerous)

protected void Page_Load(object sender, EventArgs e)
    {
        MySqlConnection stringaconnessionemysql = new MySqlConnection(
        "server=localhost; user id=****; password=***; database=mojo; pooling=false;");
        String strSQLliv = "SELECT `Name`,`Email`,`Pwd` FROM `mp_users` WHERE `OpenIDURI`= ''";
        string[,] strClientData = new String[3000,3];
        MySqlCommand dbcClientData = stringaconnessionemysql.CreateCommand();
        MySqlDataReader dbrClientData;
        dbcClientData.CommandText = strSQLliv;
        stringaconnessionemysql.Open();
        //execute the reader, thus retrieving the data
        dbrClientData = dbcClientData.ExecuteReader();

        if (dbrClientData.HasRows)
{
int i=0;
while (dbrClientData.Read())
{
strClientData[i,0] = dbrClientData.GetString(0);
strClientData[i,1] = dbrClientData.GetString(1);
strClientData[i,2] = dbrClientData.GetString(2);
SmtpClient client = new SmtpClient();
client.DeliveryMethod = SmtpDeliveryMethod.Network;
client.EnableSsl = true;
client.Host = "smtp.gmail.com";
client.Port = 587;

// setup Smtp authentication
System.Net.NetworkCredential credentials =
new System.Net.NetworkCredential("****", "****");
client.UseDefaultCredentials = false;
client.Credentials = credentials;
MailMessage msg = new MailMessage();
msg.From = new MailAddress("*****");
msg.To.Add(new MailAddress("strClientData[i,1]"));

msg.Subject = "your subjectt";
msg.IsBodyHtml = true;

msg.Body = string.Format("<html><head></head><body>hello, <b>" + strClientData[i, 0] + "</b>, your new password is: " + strClientData[i, 2]);
client.Send(msg);
i++;
}
}

9/18/2010 5:25:40 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Should I change the machinekey?

unfortunately the only thing user.config can override is the <appSettings section

In fact you can see how it works if you look at Web.config

<appSettings file="user.config">

so user.config is an arbitrary name, you could save it as somethinghardertoguess.config and then change the setting in Web.config to point to your custom file. Actually a good idea from a security perspective but one more thing to maintain.

unfortunately a custom machine key is also something one has to maintain in web.config over upgrades.

yes, there is a little good news for users who registered through RPX. mojoPortal does create an internal random password for those users but they don't need it since they authenticate against RPX openid service. They "could" use that password if they knew about it and login directly but typically they don't know that and only login via RPX, so they are much less likely to notice anything about the change to machine key, other than they will have to login again because their cookie will not be valid after changing the machine key.

Best,

Joe

9/21/2010 7:03:09 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Should I change the machinekey?

fyi, I've been told by someone who tried it that changing the machine key works ok with hashed passwords, so you only need to decrypt before changing it if using encrypted passwords.

Best,

Joe

9/21/2010 4:43:03 PM
Magnetic_dud
Gravatar
Total Posts 251
View Posts

Re: Should I change the machinekey?

i can confirm that too sad

9/23/2010 3:43:33 AM
Peter C
Gravatar
Total Posts 16
View Posts

Re: Should I change the machinekey?

Hi

just a little thought i had about generating a new machineKey.
maybe i do not want to use an online generator, even if i trust the website.


I found several Microsoft sites with console app. code using RNGCryptoServiceProvider
to generate the keys locally.

i also found this link

http://blogs.msdn.com/b/vijaysk/archive/2009/05/13/iis-7-tip-10-you-can-generate-machine-keys-from-the-iis-manager.aspx

 

best regards

Peter
 

9/23/2010 7:41:33 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Should I change the machinekey?

Hi Peter,

Good tips! I've updated the document http://www.mojoportal.com/use-a-custom-machine-key.aspx with additional links.

Thanks,

Joe

6/22/2011 6:34:27 AM
Hennadiy
Gravatar
Total Posts 31
View Posts

How to change the machine key in mojoPortal

Confirming to Joe's words I can describe, how it was made by me>

  1. Login to Admin Panel and change settings to "Clear text in DB"
  2. Go to Host and do DB back up
  3. Update your website with old nojoPortal machine key
  4. Login to your website, go to Admin panel, generate and change Machine Key
  5. Website automatically logout you.
  6. Login again and change setting to "Your Security Settings ( Decripted or Hashed )"

That I done with website mojoPortal version 2.3.4.4 to latest 2.3.6.6

All still working and users still login with default data.

 

You must sign in to post in the forums. This thread is closed to new posts.