search

dotnet / AspNetCore.Docs

Documentation for ASP.NET Core
https://docs.microsoft.com/aspnet/core
Creative Commons Attribution 4.0 International
12.62k stars 25.3k forks source link

DataProtection key rotation and refresh are hard coded to 2 days and 1 day. #33942

Closed tiddlypip closed 3 hours ago

tiddlypip commented 4 hours ago

The key rotation is triggered by protecting/unprotecting some data so its possible that it might not generate a new key in that time. Theres no built in mechanism to change when a new key is generated or when refreshed as those values are hard coded, the keys are valid for 90 days so theres scope to increase the values to allow for weekends etc. It's difficult to be confident that the key will always rollover and the consequences can be pretty catastrophic, seems like it needs a more bullet proof mechanism when more than one instance of the service. This could be an optional behaviour e.g. listen for blob changes, timer or whatever.

guardrex commented 3 hours ago

Hello @tiddlypip ... Feedback such as this should go to the product unit. Please open an issue for them on their repo at ...

https://github.com/dotnet/aspnetcore/issues