I got this question about the FlushTokenCache documentation. It says that the documentation is ambiguous... but I think the question itself is the ambiguous one. ;-)

Question:

Greetings,

Is it possible to provide some information on FlushTokenCache?

Have refered this but it's not sufficient  to proceed further...
ms-help://MS.TechNet.2005APR.1033/iis60proddocs/sec_auth_basicauth_tokencache.htm

Answer:

I presume you are referring to the following URL: Configuring Token Cache for Basic Authentication

It is not clear what "information" you are looking for, so I am just going to give the basics.

For Basic Authentication, IIS will cache user tokens of authenticated users for performance reasons (think about the domain scenario - you do not want every single request to IIS requiring an access against the Domain Controller on the backend...). However, as soon as you cache user tokens you need to worry about replay/spoofing attacks against the cached user token, and a reasonable defense against this security threat is to periodically flush the user token cache.

  • FlushTokenCache controls whether IIS will immediately flush the user token cache. As soon as you set it to non-zero, IIS will flush all tokens in the user token cache.
  • UserTokenTTL controls the amount of time a user token will be cached before evicted. If it is set to zero, it means that the user token will not be flushed by TTL (in other words, it never gets flushed until the process containing the cache goes away, either through recycling or restarting IIS).

//David