[SOLVED] What are the rules for NWebSec.SessionSecurity authenticationKey attribute?

What are the rules for NWebSec.SessionSecurity authenticationKey attribute?

Specifically, the one indicated below:

  <nwebsec>
    <sessionSecurity xmlns="http://nwebsec.com/SessionSecurityConfig.xsd"
                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                     xsi:noNamespaceSchemaLocation="NWebsecConfig/SessionSecurityConfig.xsd">
      <sessionIDAuthentication enabled="true"
                               useMachineKey="false"
 ----------------------->      authenticationKey="64char hex string here"/>
    </sessionSecurity>
  </nwebsec>

My questions are:

Should I change this value between different deployments of my site?
Is this supposed to be a secret? (I assume so but this was not indicated).

Solution

The authenticationKeyis an alternative to using the machineKey, and should be treated similarly. I.e. you should use different keys for different enviroments, and you should also keep the key secret.

If you've configured the machineKey for your application, it's recommended to just use that. The authenticationKey was added to support scenarios where the machineKey couldn't be read from config.