consider removing default in memory key managment
aspnet-hello opened this issue · 4 comments
From @danielDevelops on Thursday, September 28, 2017 11:29:28 AM
Since the default new project doesn't indicate that this needs to be configured, it would be nice to not have this partially work. When running core on IIS it defaults to in-memory key management and that isn't apparent when users are randomly getting logged out when the app pool restarts.
Copied from original issue: aspnet/DataProtection#277
From @blowdart on Friday, October 13, 2017 12:00:45 PM
@muratg @Eilon @GrabYourPitchforks
We've talked about this before with @DamianEdwards and @davidfowl about just halting if ephemeral is selected by default, rather than by an explicit gesture. We should revisit this.
From @GrabYourPitchforks on Friday, October 13, 2017 6:23:20 PM
The decision to fall back to the ephemeral keyring by default was originally intended to make development scenarios "just work", as it would push people away if we forced them to deal with key storage and management while they were just starting out. If there's some way of distinguishing between development and production environments you could change the fallback logic to account for that.
From @danielDevelops on Friday, October 13, 2017 7:09:52 PM
For me, I would rather not have any default and just have the ephemeral keyring as pre-configured in the MVC template.
Thank you for contacting us. Due to a lack of activity on this discussion issue we're closing it in an effort to keep our backlog clean. If you believe there is a concern related to the ASP.NET Core framework, which hasn't been addressed yet, please file a new issue.
This issue will be locked after 30 more days of inactivity. If you still wish to discuss this subject after then, please create a new issue!