2

We're trying to implement WIF in a .Net 4.5 web farm. We are using shared machine keys to allow multiple nodes to decrypt the FedAuth cookie. We're running into some issues with this and are in the process of debugging them.

As we've been looking for blog posts/articles/docs describing WIF + web farm configurations, we often see mentions of shared token caches. Many describe the caches as beneficial for performance or for dealing with too-large cookies. However, others seem to suggest that it is strictly necessary in order to get WIF working at all. From the MSDN article above:

In [a web farm] scenario, the default WIF settings ... will not work because both token protection and token caching are dependent on a specific computer.

Emphasis mine.

So, my question is: is it strictly necessary to implement a shared token cache in order to make WIF work in a web farm? If so, can you help me understand the nature and purpose of the cached data?

John Hoerr
  • 7,955
  • 2
  • 30
  • 40

1 Answers1

1

The token cache is only needed when you want to cache the tokens on the server.

The SAM supports a mode called "reference tokens" - using this the cookie only contains an identifier whereas the actual principal (+ bootstrap context if used) is cached on the server.

WIF's default implementation of that cache is local in-memory, thus the shared cache requirements for web farms. But only if reference mode is used - which is not the default.

leastprivilege
  • 18,196
  • 1
  • 34
  • 50