2

I'm writing a custom implementation of SessionSecurityTokenCache and I'm somewhat confused as to what the purpose of expiryTime is in the AddOrUpdate method.

As far as I can tell, the default implementation for SessionSecurityTokenCache used by WIF is the internal class MruSessionSecurityTokenCache (mentioned here). In its implementation, expiryTime is completely ignored.

Also, I notice while debugging that the value that gets passed in to AddOrUpdate appears to always be token.ValidTo plus 5 minutes, so there is some intent to use this value somehow.

A few questions:

  • What is the intended strategy for this value?
    • Occasional cache cleanup?
    • Should the Get() and GetAll() methods on SessionSecurityTokenCache be filtering out expired tokens?
  • In any of these cases, why not just use SessionSecurityToken.ValidTo (or some offset therefrom)?
Chris Simmons
  • 6,924
  • 5
  • 31
  • 47
  • Hi Chris, did you ever figure out the purpose of expiryTime in AddOrUpdate? We are handling the SessionAuthenticationModule_SessionSecurityTokenReceived event to enable sliding sessions and in that method, SessionSecurityToken.ValidTo does not match the expiryTime of the TokenCacheItem we get from our cache. It would make sense for SessionSecurityToken.ValidTo to equal TokenCacheItem.Expires surely? The +5 mins is documented [here](http://msdn.microsoft.com/en-us/library/system.identitymodel.tokens.samlsecuritytoken.validto%28v=vs.100%29.ASPX) – dev'd Jan 24 '14 at 15:12

0 Answers0