5

Does ASP.NET Identity stores two-factor authentication and reset password tokens in memory?

Then what's the solution if we have many copies of a project behind a load balancer? It's possible to store those tokens in a database?

Is there any other issue if we want to use a load balancer?

Babak
  • 3,716
  • 6
  • 39
  • 56

1 Answers1

4

Tokens are not stored in server memory, but on the client (link, cookie etc.). So a load balancer is supported as long as you keep the machinekey in the web.config the same on all web servers.

Because of the above it's not necessary to store them in a database. There is a possibility to do so. See also this similar question (I see it has a similar answer :-)) How are bearer tokens stored server-side in Web API 2?

Community
  • 1
  • 1
kloarubeek
  • 2,706
  • 20
  • 24
  • Would you, also, give me a link to its documentation or code related to this issue? – Babak May 16 '16 at 04:13
  • not sure what you're looking for. As Brock explains in the linked answer: the token is signed by the owin host's protection key which is the machineKey in the web.config. Maybe this helps: http://stackoverflow.com/questions/23804505/does-asp-net-identity-2-use-machinekey-to-hash-the-password – kloarubeek May 16 '16 at 19:23