Using IToken as Session Key

Topics: Caching Application Block , Security Application Block
Feb 5, 2008 at 2:38 PM
We are looking to use the Security Application Block for authorization in a series of web applications we're building. Our idea was to authenticate the user using the Membership API and then cache the IIdentity of the user in the Security Application Block. The IToken returned when we call SecurityCacheProvider.SaveIdentity() would be returned to the browser as a cookie containing IToken.Value.

The issue I'm seeing is that the IToken implementation is hard coded to be the GuidToken implementation in the SecurityCacheProvider. This means that there is no abstract way to convert the token stored in the cookie (as a string) back into an IToken (except by knowing that the IToken is really a GuidToken and hardcoding the implementation again).

Has anyone else attempted this? (using the security caching as session key). We really like the idea of using the cache expirations as the session timeout because then we can expire the session from a centralized location and the web layer doesn't need to manage that.