Comments (4)
michelcedric
commented on June 2, 2024
The service
use IMemoryCache https://learn.microsoft.com/en-us/aspnet/core/performance/caching/memory?view=aspnetcore-8.0
This one is registered in https://github.com/dotnet-architecture/eShopOnWeb/blob/2414014bfa0f4d2021b5bc9061429a98d232f440/src/Web/Program.cs#L66C1-L66C28
That add a Memory cache as in Singleton.
from eshoponweb.
calbeda
commented on June 2, 2024
Thanks for the answer!
You are right, this cache is not trivially useless... is much worse: it is using a service that by specification has http request specific dependencies to get data that will be used in other requests.
This could generate wrong answers and very difficult to detect.
As this project is presented as a model architecture it could be used in many situations where developers probably will not be aware of this details. Is a potentially big security hole if used without much attention.
This "singleton cache in an http scoped service" is a not secure by default. Is a clear security risk.
from eshoponweb.
ardalis
commented on June 2, 2024
How exactly would you implement a memory cache in a monolithic application with a single production instance?
Yes, one could use Redis or a similar out of process cache to resolve some of the concerns you're mentioning, but in this case in-memory is the chosen approach (which is fully supported by dotnet).
What security risk are you implying? Please demonstrate an attack vector and mitigation.
from eshoponweb.
calbeda
commented on June 2, 2024
Ok, probably I have exaggerated the risk... you are using a request scoped service to get data that will be used in others requests. This is ok if you use it carefully, the risk is only if you use request context data in the methods used by the cache.
For example accessing a 3rd part service with current user credentials that maybe will return data only valid for that user, etc.
This request scoped service could in turn use other services to perform some actions and if some developer thinks that everything is request scoped they could for example inject request context information in the service constructor making not clear what methods use this information... real business services could become very complex.
Here they propose using IServiceScopeFactory and creating scoped services inside the singleton using that.
But maybe this could be excessive in many situations... I suppose everything depends of the situation and the size and communication inside the developers team...
from eshoponweb.
Related Issues (20)
- Inject IHttpContextAccessor to CatalogContext's constructor will be destoryed when RevokeAuthenticationEvents.cs handle about CatalogContext's data
- The style class prefix "col-xs-*" didnt work in cshtml files. HOT 1
- Changelog for the latest version, updated to .NET 7, is not available in the wiki page HOT 4
- Update to bootstrap 5
- .NET 8 Updates HOT 5
- Facing issue when deploying the application on azure app service HOT 2
- I am not able to deploy the application to Azure from Visual Studio Code HOT 1
- I'm not able to update in memory database HOT 1
- Update NuGet packages to latest versions HOT 1
- Revalidate AZD HOT 2
- OBE
- Verify devcontainer for codespaces debugging HOT 6
- Modernize to .NET SDK Containers
- Inconsistent naming of async methods HOT 1
- How to connect to the postgres instance from the host ? HOT 1
- DO NOT USE THIS DIRECTLY
- Cannot Debug BlazerAdmin HOT 1
- Update on Plans for .NET Architecture Samples, Repos, and Organization
- Dependency on Ardalis libraries
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from eshoponweb.