I'm just learning web security and so this might be a naive question:
I'm looking here:
http://msdn.microsoft.com/library/de...plications.asp
and see validationKey and decryptionKey in their example. Do those keys encrypt and
decrypt cookies that get sent to browsers?
Can one make up one's own keys or does one have to buy them? If one has to buy them
then from where and at what cost?
Also, I thought I understood the basics of XML but this bit is confusing:
<!-- Validation and decryption keys must exactly match and cannot
be set to "AutoGenerate". The validation algorithm must also
be the same. -->
<machineKey>
validationKey=
"C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572 A487D9401E3400267682B202B746511891C1BAF47F8D25C07F 6C39A104696DB51F17C529AD3CABE"
decryptionKey= "8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B 72F"
validation="SHA1"
isolateApplications="false"
</machineKey>
Note that the validationKey, decryptionKey, validation, and isolateApplications are
not attributes of machineKey since they do not occur before the greater than sign.
Also, they are not in their own separate elements. So do they get parsed out?