Machine Key

 <machineKey validationKey="AutoGenerate,IsolateApps"             decryptionKey="AutoGenerate,IsolateApps" validation="SHA1"/> 

Use Unique Encryption Keys with Multiple Applications

If you host multiple applications on a single Web server, use unique keys for each application on the machine instead of using a single key across all applications. This eliminates the likelihood that one application can spoof view state or encrypted Forms authentication cookies in hosting environments.

Also use the IsolateApps setting. This is a new .NET Framework version 1.1 setting that instructs ASP.NET to automatically generate encryption keys and to make them unique for each application.

Set validation="SHA1"

The validation attribute specifies the algorithm used for integrity-checking , page-level view state. Possible values are "SHA1", "MD5", and "3DES".

If you used protection="All" on the <forms> element, then the Forms authentication cookie is encrypted, which also ensures integrity. Regardless of the validation attribute setting, Forms authentication uses TripleDES (3DES) to encrypt the cookie.

If you set validation="SHA1" on the <machineKey> , then page-level view state is integrity checked using the SHA1 algorithm, assuming that the <pages> element is configured for view state MACs. For more information, see "View State" earlier in this chapter.

You can also set the validation attribute to MD5. You should use SHA1 because this produces a larger hash than MD5 and is therefore considered more secure.

If you set validation="3DES" on the <machineKey> , then page-level view state is encrypted (which also provides integrity checking) using the 3DES algorithm, even if the <pages> element is configured for view state MACs.

Generate Keys Manually For Web Farms

In Web farms, you must set explicit key values and use the same ones across all machines in the Web farm. See "Web Farm Considerations" later in this chapter.