It's a good point that we probably shouldn't seed the values just to avoid someone from accidentally using "deadbeefdeadbeef" in their production environment. I'll also investigate if we can reuse the transformation instances (and make the change if we can).
We didn't use the machine key as we'd have to pick one of two paths: 1) Using the [`System.Web.Security.MachineKey`](http://msdn.microsoft.com/en-us/library/system.web.security....) class to perform the encryption would probably leave us with the same issue we wanted to resolve (the class only exposes methods for encryption, not the key itself). 2) Parsing the configuration file manually is error-prone and makes us rely on the current format (and while it's unlikely to change given Microsoft's dedication to backward compatibility, it's an unnecessary dependency for an independent solution).
Our code serves as an example and while some will probably copy the code right into their solution, I expect most people will adapt it to suit their needs*. [Poul-Henning Kamp](http://phk.freebsd.dk/sagas/md5crypt_eol.html) recently wrote "Please notice that there is _no_ advantage in everybody in the world using the exact same algorithm, quite the contrary in fact." (relating to the application of well-known encryption algorithms, not designing such algorithms). We believe it's beneficial to share a solution that people can build and improve on. If nothing else, using different solutions prevent a single attack from affecting us all.
Thanks for the explanation! I'm usually pretty sceptical when people step outside the stuff provided by whatever framework they're building on (something which devs at my workplace are always a little keen to do, which occasionally winds up in terms of things that need to be refactored/rewritten a few months down the track in a more standard way to integrate with some other component or whatnot) - so it's a bit of a compulsive habit to try to pick apart why the framework wasn't suitable. For MVC auth tokens though it seems to be a necessary thing to actually get a straightforward and neat solution.
It is a really nice solution, and I'm glad that you guys have pointed out that there's a problem and actually done something about it ("hey, just set the aspnet:UseLegacyEncryption / some other undocumented appsetting" isn't a legit solution), and further than that, opened it up (though it all seems to have disappeared now).
We wound up just more tightly controlling updates (and were fortunate to be in a position that this was a solution/the problem wasn't that major), but the backup was to serve auth cookies unencrypted and add/remove the encryption via a httpmodule - after all, it isn't forms authentication that was really 'broken' IMO, it was that Microsoft kept changing the implementation of encryption all the time. I get the impression that this could be a cleaner solution for asp.net, but definitely isn't for MVC - the next time we have to share auth tokens across multiple MVC apps / multiple instances that we don't control updates on, I'll be sure to pick up your code and run with it, so thanks.
We didn't use the machine key as we'd have to pick one of two paths: 1) Using the [`System.Web.Security.MachineKey`](http://msdn.microsoft.com/en-us/library/system.web.security....) class to perform the encryption would probably leave us with the same issue we wanted to resolve (the class only exposes methods for encryption, not the key itself). 2) Parsing the configuration file manually is error-prone and makes us rely on the current format (and while it's unlikely to change given Microsoft's dedication to backward compatibility, it's an unnecessary dependency for an independent solution).
Our code serves as an example and while some will probably copy the code right into their solution, I expect most people will adapt it to suit their needs*. [Poul-Henning Kamp](http://phk.freebsd.dk/sagas/md5crypt_eol.html) recently wrote "Please notice that there is _no_ advantage in everybody in the world using the exact same algorithm, quite the contrary in fact." (relating to the application of well-known encryption algorithms, not designing such algorithms). We believe it's beneficial to share a solution that people can build and improve on. If nothing else, using different solutions prevent a single attack from affecting us all.