I'm writing a custom implementation of SessionSecurityTokenCache and I'm somewhat confused as to what the purpose of expiryTime is in the AddOrUpdate method.
As far as I can tell, the default implementation for SessionSecurityTokenCache used by WIF is the internal class MruSessionSecurityTokenCache (mentioned here). In its implementation, expiryTime is completely ignored.
Also, I notice while debugging that the value that gets passed in to AddOrUpdate appears to always be token.ValidTo plus 5 minutes, so there is some intent to use this value somehow.
A few questions:
- What is the intended strategy for this value?
- Occasional cache cleanup?
- Should the
Get()andGetAll()methods onSessionSecurityTokenCachebe filtering out expired tokens?
- In any of these cases, why not just use
SessionSecurityToken.ValidTo(or some offset therefrom)?
