I go through the http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api tutorial on implementing token authentication on the ASP.NET WebApi platform.
When I access methods [Authorize]with a published carrier token after stopping / restarting / deploying to Azure WebSite, it can still access them. Moreover, I can access with two different devices (different tokens for the same identity) that can access.
I don’t know deep inside the token identification mechanism, but it seems that published media tokens are not supported in server memory or in the database.
My question can be summarized as shown below ...
- Does the carrier toner turn on my identity aggressively and recognize me until I repeat the authorization (based on the above tutorial)?
- what information needs to be mixed and hashes to make a token carrier? just my review, identity and timestamp? or server key (I know that the former ASP.NET server uses the server key in the registry)?
- What if I deploy on multiple servers like WebRoles? Do they still recognize published tokens among others?
- Is there a maximum number of identifiable tokens per unit?
source
share