问题
We are writing a web application similar to Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect
The sample includes NaiveSessionCache.cs, which stores the access token in the ASP.NET Session state for UserObjectId. The code looks reasonable, but I have concerns with regards to the name "Naive".
Are there any reasons why I should not use it in production?
Vittorio Bertocci's article The New Token Cache in ADAL v2, describes FileCache (for a desktop application) and database EFADALTokenCache alternatives for implementing TokenCache. However I feel that using SQL DB is too heavy if I can use session instead.
Could anyone give any cons to use session?
回答1:
There's no counter indication in using the session in itself, provided that your scenario allows for it (e.g. you don't require access when there's no user actively logged in) and you properly secure it. However the class in those samples is meant to only demonstrate the functionality of a generic cache component, and has not been hardened for use in production as-is: you'll need to add proper error handling, instrumentation, and all the software quality features you normally apply for your own production software.
回答2:
In my experience, using the session relies too much on the web server and app domain. I have had issues with the session resetting / disappearing. Google it and you will find numerous people having similar issues. We opted in for in-memory token cache for a small, single-server web application. For a larger one, especially if we need a multi-server app, I would definitely do a DB implementation.
来源:https://stackoverflow.com/questions/41864737/is-it-ok-to-use-naivesessioncache-from-azure-samples-azure-active-directory-open