public IAccessToken Create(int userId) { // create the token var token = container.GetInstance <IAccessToken>(); var passwordHash = container.GetInstance <IPasswordHash>(); string tokenHash; string encryptedUserId; byte[] userIdSalt; DateTime issuedAt, refreshed; // check whether there is a token existing for this userId bool tokenExists = tokenStorage.VerifyTokenExistence(userId, out tokenHash, out issuedAt, out refreshed); if (tokenExists) { if (dateHelper.IsWithinTimeOutLimit(refreshed)) { // token is still valid, refresh the token to extend the timeout if (!tokenStorage.RefreshToken(userId, tokenHash, dateHelper.Now)) { throw new Exception("Failed to refresh existing the token"); } token.IssuedAt = issuedAt; token.Token = tokenHash; encryptedUserId = null; issuedAt = new DateTime(); refreshed = new DateTime(); return(token); } } // Create the token identifier Guid tokenId = openGuid.New(); var hashedToken = passwordHash.CreateHash(tokenId.ToString()); userIdSalt = encrypter.GetSalt(); encryptedUserId = encrypter.Encrypt(userId.ToString(), userIdSalt); issuedAt = dateHelper.Now; //store the hashInfo if (!tokenStorage.StoreToken(userId, hashedToken, encryptedUserId, userIdSalt, issuedAt)) { throw new Exception("Failed to store the session token"); } // set the token for the user token.Token = hashedToken.Hash; token.IssuedAt = issuedAt; //reset all information hashedToken.Dispose(); userIdSalt = null; encryptedUserId = null; passwordHash.Dispose(); passwordHash = null; return(token); }