Don’t forget to set a machine key

When deploying Sitecore, especially if you’ve got multiple Content Delivery servers, don’t forget to set a <MachineKey> in your web.config file.

The MachineKey is used to encrypt and secure the page’s ViewState. By default, the .NET framework uses that machine’s own MachineKey, but should your view state get sent to another content delivery server with a different key, well, then the ViewState will be invalid. That’s something of a problem. 

To some degree, this problem can be hidden by using Session Affinity (a.k.a. Sticky Sessions), which is probably a good configuration anyway. In this case the load balancer tries to route all traffic for a particular user session to a specific content delivery server.

However, failures can happen, and in that case your user traffic could end up being routed to another content delivery server – and then the ViewState would be invalid again.

The good news is that if we set a specific MachineKey for our web application, and use that on all our servers, well, the ViewState would still be valid, even though it’s a different server handling it.

Do note that you could have other problems depending upon the Session State configuration of your servers.

To set a machine key, add a MachineKey element inside System.Web in your web.config file:

<machineKey validationKey="21F090...snip...F0A281B"  decryptionKey="ABAA84...snip...743719F" validation="SHA1" decryption="AES" />

Note that for more recent versions of .NET there are better choices of validation and decryption algorithms than earlier forms. In .NET 4.0 the defaults are HMACSHA256 and AES, which are good choices.

Added bonus – how to generate a MachineKey.

Don’t forget to set a machine key

One thought on “Don’t forget to set a machine key

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.