Generating a New Cookie Encryption Key

The CS Authentication resource uses an encryption key for encrypting and decrypting cookie data. By default, when you unpack a site, the encryption key in the package is used. The encryption key is stored in the AuthSetup.ini file in the package. If no key exists, a new key is generated by Commerce Server Site Packager, using AuthManager.GenerateEncryptionKey().

Each time you unpack a site, a new encryption key is created. If you package your own encryption key with the CS Authentication resource, then you will have the same key every time you unpack that custom package. If you want a new or separate key each time you unpack that site, after you unpack the site you must use the Generate New Encryption Key button in Commerce Server Manager.

Do not change the encryption key while a site is active. If you update an encryption key while a site is active, existing MSCSAuth tickets are no longer valid and users must log on again. A ticket that is encrypted with one key can be decrypted only with the same key.

Commerce Server 2000 did not provide support for decryption of persistent cookies when encryption keys, which encrypt and decrypt tickets, are changed. Use the GetUserIDFromCookieAndKey method to decrypt tickets that were encrypted in Commerce Server 2000. You can customize your site to issue a new ticket while retaining the information from the old ticket.


  • Before you update an existing encryption key, it is recommended that you store the existing encryption keys where they can be retrieved by your application. Commerce Server does not create a backup for you. It is recommended that you back up the key to a secure location; preferably to a location that cannot be accessed by users.

Your application can use these old encryption keys at a later time to decrypt tickets that were encrypted with the old key. The manner in which this is done is determined by the application. However, only the user ID can be obtained from an old ticket; all custom properties are lost.

To generate a new encryption key


  1. Expand Commerce Server Manager, expand Commerce Sites, and then click the site you want to administer.

  2. Expand Applications, right-click the application you want to configure, and then click Properties.

  3. At the bottom of the dialog box, click Generate New Encryption Key.

  4. At the confirmation dialog box, click OK.

  5. Restart IIS.

    For information about restarting IIS, see Restarting IIS and Commerce Server Services.

See Also



Rolling Key Encryption for Authentication Tickets

Restarting IIS and Commerce Server Services

Copyright © 2005 Microsoft Corporation.
All rights reserved.