且构网

分享程序员开发的那些事...
且构网 - 分享程序员编程开发的那些事

不记名令牌如何在 Web API 2 中存储在服务器端?

更新时间:2023-02-24 12:47:24

  1. They're not stored server side -- they're issued to the client and the client presents them on each call. They're verified because they're signed by the owin host's protection key. In SystemWeb hosting, that protection key is the machineKey setting from web.config.

  2. That's unnecessary, as long as the protection key the owin host uses doesn't change across server restarts.

  3. A client can hold onto a token for as long as the token is valid.