All geek questions in one place

WIF Reauthentication

I applied sliding sessions in the Relying Party app as described in Sliding Sessions for WIF 4.5 . This works fine as much as possible, but there is one problem that no one seems to be talking about.

As noted in a related blog post when the RP token expires, the next time after the request, the token is re-issued from STS. Assuming, of course, that the lifetime of an STS session is longer than the lifetime of an RP session, which is almost certainly the case if you are performing sliding sessions.

In any case, this completely affects the entire point of the sliding sessions.

What no one is talking about is what needs to be done when the RP session expires. I want if the RP session time (usually because someone left their workplace within 10 minutes) for my application is redirected to the STS login page, where the user can re-authenticate and then the page I requested is redirected; or perhaps the page I was on when I made the request.

I am pretty sure that this is possible, but I do not know how to do it.

Here is my code from global.asax:

private const int InactivityTimeout = 5; // minutes void SessionAuthenticationModule_SessionSecurityTokenReceived (object sender, SessionSecurityTokenReceivedEventArgs e) { var now = DateTime.UtcNow; var validFrom = e.SessionToken.ValidFrom; var validTo = e.SessionToken.ValidTo; double halfSpan = (validTo - validFrom).TotalMinutes/2; if (validFrom.AddMinutes(halfSpan) < now && now < validTo) { // add more time var sam = sender as SessionAuthenticationModule; e.SessionToken = sam.CreateSessionSecurityToken( e.SessionToken.ClaimsPrincipal, e.SessionToken.Context, now, now.AddMinutes(InactivityTimeout), e.SessionToken.IsPersistent); e.ReissueCookie = true; } else { // re-authenticate with STS } }

My questions:

  • Is the else clause the right place for re-authentication logic?
  • If yes, please provide an example because I have no idea.
  • If the answer to # 1 is no, then there is a separate event that I need to subscribe to and it will tell me: "Hey, your session security token has expired!"
+6
source share
1 answer

I would recommend that you synchronize the session lifetime on STS and RP (s).

You can set the session lifetime to 10 minutes on the STS and 10 minutes on the RP and use the sliding session approach on the RP. After 10 minutes of inactivity, both sessions expire and the user will need to re-authenticate.

If you have multiple RPs, you can implement the keep-alive form from RP to STS - for example, load a resource from STS on each RP web page. Whenever a page is loaded onto an RP, the keep-alive resource will be loaded from STS - updating the STS session. After 10 minutes of inactivity, they both time out and the user will need to re-authenticate.

β€œResource from STS” can mean a web page (Web Forms / MVC) loaded in an invisible iframe. The important thing is that this is a managed handler, so the request is processed by ASP.NET.

As for your questions, if you synchronize the session lifetime so that they are timing together:

  • No, you do not need to add code to the else clause. If the token has expired, the WIF will be redirected to STS.
  • Just remove the else clause.
  • Let WIF handle this for you.

For completeness, if you cannot synchronize the session lifetime, you can start a federated exit when the RP session expires. The following snippet starts a statement from a configured issuer (STS). You can put this in an else clause to cause the first request to drop after the end of the RP session:

 using System.IdentityModel.Services; //WIF 4.5 var stsAddress = new Uri(FederatedAuthentication.FederationConfiguration.WsFederationConfiguration.Issuer); WSFederationAuthenticationModule.FederatedSignOut(stsAddress, null); //Optional replyUrl set to null

Hope this helps!

+2
source

Source: https://habr.com/ru/post/953258/

More articles:


All Articles