Share via


<statefulSecurityContextToken> Element

Specifies whether stateful SecurityContextToken security tokens are used.

<microsoft.web.services3> Element
  <tokenIssuer> Element

<statefulSecurityContextToken  enabled="true|false" />

Attributes and Elements

Attributes

Attribute Description

enabled

Required attribute. true if stateful SecurityContextToken security tokens are used. The default value is true.

Child Elements

None.

Parent Elements

Element Description

<tokenIssuer> Element

Specifies the settings for a security token service.

Remarks

Use stateful SecurityContextToken security tokens in Web farms and in application domains that are continually reset. When sent in a SOAP message, stateful SecurityContextToken security tokens are serialized along with an encrypted key that can be retrieved only by the Web service. By contrast, the key for stateless SecurityContextToken security tokens is cached by clients and Web services, so that only a unique string that represents the cached SecurityContextToken security token must be sent in SOAP messages. That works fine as long as the caches are available. Two cases where the caches may not be available are Web farms and Web services hosted by an ASP.NET application domain that periodically gets reset. In the Web farm scenario, the cached token is available only on the computer that initially issued the SecurityContextToken security token. Therefore, subsequent SOAP messages that do not reach that particular computer in the Web farm will cause a SOAP fault. With a stateful SecurityContextToken security token that is not a problem, because the security token and the associated key can always be retrieved from the SOAP message. The same is true if the application domain that is hosting the Web service is reset, causing the cache to be destroyed. Some virus scanners cause application domains to be reset.

Example

The following code example specifies that the application uses stateless SecurityContextToken security tokens.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <microsoft.web.services3>
    <tokenIssuer>
      <statefulSecurityContextToken enabled="false" />
    </tokenIssuer> 
  </microsoft.web.services3>
</configuration>

See Also

Reference

SecurityContextToken