Export (0) Print
Expand All

MachineKeySection.CompatibilityMode Property

Gets or sets a value that specifies whether upgraded encryption methods for view state that were introduced after the .NET Framework version 2.0 Service Pack 1 release are used.

Namespace:  System.Web.Configuration
Assembly:  System.Web (in System.Web.dll)

[ConfigurationPropertyAttribute("compatibilityMode", DefaultValue = MachineKeyCompatibilityMode.Framework20SP1)]
public MachineKeyCompatibilityMode CompatibilityMode { get; set; }

Property Value

Type: System.Web.Configuration.MachineKeyCompatibilityMode
A value that indicates whether encryption methods that were introduced after the .NET Framework 2.0 SP1 release are used.

The upgraded encryption methods in later versions of the .NET Framework reduce the risk that an attacker can successfully reverse-engineer the DecryptionKey value. The older encryption methods are available in order to maintain backward compatibility.

All servers in a Web farm should have the CompatibilityMode property set to the same value. If the server that reads a forms authentication ticket has a different CompatibilityMode setting than the server that created the ticket, the ticket won't be recognized.

The following values can be specified for the CompatibilityMode property:

  • Framework20SP1. This value specifies that ASP.NET uses encryption methods that were available in versions of ASP.NET earlier than 2.0 SP2. Use this value for all servers in a web farm if any server has a version of the .NET Framework earlier than 2.0 SP2. This is the default value unless the application Web.config file has the targetFramework attribute of the httpRuntime element set to "4.5".

  • Framework20SP2. This value specifies that ASP.NET uses upgraded encryption methods that were introduced in the .NET Framework 2.0 SP2. Use this value for all servers in a web farm if all servers have the .NET Framework 2.0 SP2 or later but at least one does not have the .NET Framework 4.5.

  • Framework45. Cryptographic enhancements for ASP.NET 4.5 are in effect. This is the default value if the application Web.config file has the targetFramework attribute of the httpRuntime element set to "4.5".

When this property is set to Framework45, the following restrictions are in effect:

  • If the DataProtectorType property has a value, the ApplicationName property must also have a value. The DataProtector class mandates that a non-empty application name be provided.

  • The Validation attribute must be an actual validation algorithm (for example, MD5, SHA1, HMACSHA256, HMACSHA384, HMACSHA512) or a custom algorithm that subclasses the KeyedHashAlgorithm type. The values AES and 3DES are forbidden.

  • The framework will not produce signed-only payloads. Forms authentication tickets will always be both encrypted and signed, regardless of how the protection attribute of the forms element is set in the Web.config file. View state will always be both encrypted and signed if either EnableViewStateMac or RequireViewStateEncryption is set for a given page.

As a result of the security update that is described in Microsoft security bulletin MS10-070, the default encryption behavior is the same for the Framework20SP1 and Framework20SP2 settings. Changing the default behavior is not recommended, but if you want to do that, see How to configure legacy encryption mode in ASP.NET.

.NET Framework

Supported in: 4.5.2, 4.5.1, 4.5, 4, 3.5 SP1, 3.0 SP2, 2.0 SP2

Windows 8.1, Windows Server 2012 R2, Windows 8, Windows Server 2012, Windows 7, Windows Vista SP2, Windows Server 2008 (Server Core Role not supported), Windows Server 2008 R2 (Server Core Role supported with SP1 or later; Itanium not supported)

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

Show:
© 2014 Microsoft