consider removing default in memory key managment

Question

consider removing default in memory key managment

danielDevelops opened this issue 7 years ago · 4 comments

Since the default new project doesn't indicate that this needs to be configured, it would be nice to not have this partially work. When running core on IIS it defaults to in-memory key management and that isn't apparent when users are randomly getting logged out when the app pool restarts.

Answer 1 · 2017-10-13T19:00:45.000Z

@muratg @Eilon @GrabYourPitchforks

We've talked about this before with @DamianEdwards and @davidfowl about just halting if ephemeral is selected by default, rather than by an explicit gesture. We should revisit this.

Answer 2 · 2017-10-14T01:23:20.000Z

The decision to fall back to the ephemeral keyring by default was originally intended to make development scenarios "just work", as it would push people away if we forced them to deal with key storage and management while they were just starting out. If there's some way of distinguishing between development and production environments you could change the fallback logic to account for that.

Answer 3 · 2017-10-14T02:09:52.000Z

For me, I would rather not have any default and just have the ephemeral keyring as pre-configured in the MVC template.

Answer 4 · 2018-01-01T22:56:00.000Z

This issue was moved to dotnet/aspnetcore#2506