About the Talk
July 18, 2012 12:30 PM
ASP.NET forms auth is subtly broken in a way that can cause problems for applications in general and in particular for ones running on multiple machines in load-balanced setups and web farms such as the one found on AppHarbor's cloud platform. These problems include:
- Machinekeys are regenerated on app-pool recycles, invalidating sessions
- Machinekeys have to be the same for sessions to work across multiple web workers
- Session-cookie encryption changes surprisingly often with updates from Microsoft, causing sessions to become invalid
In this talk we'll explore these problems in greater detail and then go on to demo how to implement your own session management that is secure and durable.
[The first part of the talk is loosely based on this blog post: http://blog.appharbor.com/2012/02/22/asp-net-forms-authentication-considered-broken]