Session Token gets invalid after pool reset

Question

I'm using Thinktecture IdentityModel in an ASP.NET Web API using Basic Authentication. Everything works fine, I can request a new token to the server with expiration. I host this application in AppHarbor.

The problem is that AppHarbor periodically resets the pool because if the application is not being used for a while, it gets into "idle" state.

This makes that my Token issued by my application using the IdentityModel is no longer valid after the pool reset.

I know there are some tricks around to keep AppHarbor alive. I'm not lookig for this kind of solution. Is there any way of creating tokens using IdentityModel that are valid after the pool reset? Is this a security issue?

This is my code to set the authentication:

 var authentication = new AuthenticationConfiguration
 {
     EnableSessionToken = true,
     RequireSsl = false,
     SessionToken = new SessionTokenConfiguration()
     {
        DefaultTokenLifetime = System.TimeSpan.FromDays(1),
        EndpointAddress = "/Authenticate"
     }
 };

 authentication.AddBasicAuthentication(authService.Authenticate, authService.GetRoles);
 config.MessageHandlers.Add(new AuthenticationHandler(authentication));

Answer 1

When you create the SessionTokenConfiguration, you need to assign a consistent value to the SigningKey property. This is a signing key so it should be unique to your app and you should treat it as a secret.