Skip to main content

Setting up sliding sessions in Windows Identity Foundation(WIF)

By default a WIF security token is only valid for a certain time. However this token does not work with a sliding expiration out-of-the-box. This means that, no matter if the users is actively using the application or not, once the time interval has expired, the token is invalidated and the user has to login again.
Although this seems logical from a security standpoint, it’s not very user friendly. Users expect that as long as they are using the application, their authentication session remains valid.
So how can we achieve sliding expiration in WIF?
public class SlidingAuthenticationModule : SessionAuthenticationModule
{
   
}
  • Register for the SessionSecurityTokenReceived event in the constructor:
   public SlidingAuthenticationModule
   {
      this.SessionSecurityTokenReceived += SessionSecurityTokenReceived; 
   }

   void SessionSecurityTokenReceived(object sender, SessionSecurityTokenReceivedEventArgs e)
   {
      
   }
  • Add code to the event handler to implement the sliding expiration:

void SessionSecurityTokenReceived(object sender, SessionSecurityTokenReceivedEventArgs e)
{ 
 var sessionToken = e.SessionToken;
    SymmetricSecurityKey symmetricSecurityKey = null;

    if (sessionToken.SecurityKeys != null)
     symmetricSecurityKey = sessionToken.SecurityKeys.OfType<SymmetricSecurityKey>().FirstOrDefault();

 if (sessionToken.ValidTo > DateTime.UtcNow)
    {
  var slidingExpiration = sessionToken.ValidTo - sessionToken.ValidFrom;

  e.SessionToken = new SessionSecurityToken(
                    sessionToken.ClaimsPrincipal,
                    sessionToken.ContextId,
                    sessionToken.Context,
                    sessionToken.EndpointId,
                    slidingExpiration,
                    symmetricSecurityKey);

     e.ReissueCookie = true;
    }
    else
    {
        var sessionAuthenticationModule = (SessionAuthenticationModule) sender;
        sessionAuthenticationModule.DeleteSessionTokenCookie();
     e.Cancel = true;
 }
}

  • Inside your web.config, replace the default SessionAuthentication module with the new module you’ve created:

<modules>
   <add name="SessionAuthenticationModule" type="SlidingAuthenticationModule" preCondition="managedHandler"/>
</modules>
Labels:

Popular posts from this blog

.NET 8–Keyed/Named Services

A feature that a lot of IoC container libraries support but that was missing in the default DI container provided by Microsoft is the support for Keyed or Named Services. This feature allows you to register the same type multiple times using different names, allowing you to resolve a specific instance based on the circumstances. Although there is some controversy if supporting this feature is a good idea or not, it certainly can be handy. To support this feature a new interface IKeyedServiceProvider got introduced in .NET 8 providing 2 new methods on our ServiceProvider instance: object? GetKeyedService(Type serviceType, object? serviceKey); object GetRequiredKeyedService(Type serviceType, object? serviceKey); To use it, we need to register our service using one of the new extension methods: Resolving the service can be done either through the FromKeyedServices attribute: or by injecting the IKeyedServiceProvider interface and calling the GetRequiredKeyedServic...
Read more

Azure DevOps/ GitHub emoji

I’m really bad at remembering emoji’s. So here is cheat sheet with all emoji’s that can be used in tools that support the github emoji markdown markup: All credits go to rcaviers who created this list.
Read more

Kubernetes–Limit your environmental impact

Reducing the carbon footprint and CO2 emission of our (cloud) workloads, is a responsibility of all of us. If you are running a Kubernetes cluster, have a look at Kube-Green . kube-green is a simple Kubernetes operator that automatically shuts down (some of) your pods when you don't need them. A single pod produces about 11 Kg CO2eq per year( here the calculation). Reason enough to give it a try! Installing kube-green in your cluster The easiest way to install the operator in your cluster is through kubectl. We first need to install a cert-manager: kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.5/cert-manager.yaml Remark: Wait a minute before you continue as it can take some time before the cert-manager is up & running inside your cluster. Now we can install the kube-green operator: kubectl apply -f https://github.com/kube-green/kube-green/releases/latest/download/kube-green.yaml Now in the namespace where we want t...
Read more