Identity Security Token Identity Point Identity v2
I am currently using Identity for the login system, but the session token it generates suggests a fixed expiration date of 10 hours. its specification for my system requires the session to expire if the user is idle for 20 minutes. I cannot find anywhere in the source code to suggest sliding session state.
I was looking for this problem and the only solution is to create a new session from sessionAuthenticationModule every time the SessionAuthenticationModule_SessionSecurityTokenReceived event is generated in global.asax.
if (validFrom.AddMinutes(halfSpan) < now && now < validTo)
{
var sam = sender as SessionAuthenticationModule;
e.SessionToken = sam.CreateSessionSecurityToken(
e.SessionToken.ClaimsPrincipal,
e.SessionToken.Context,
now,
now.AddMinutes(5),
e.SessionToken.IsPersistent);
e.ReissueCookie = true;
}
Is there a better alternative to this method?
source to share
Allen Brock, a ThinkTecture member, suggests re-issuing the token if the session is still valid but more than halfway out:
void SessionAuthenticationModule_SessionSecurityTokenReceived(object sender, SessionSecurityTokenReceivedEventArgs e)
{
SessionAuthenticationModule sam = FederatedAuthentication.SessionAuthenticationModule;
var token = e.SessionToken;
var duration = token.ValidTo.Subtract(token.ValidFrom);
if (duration <= TimeSpan.Zero) return;
var diff = token.ValidTo.Add(sam.FederationConfiguration.IdentityConfiguration.MaxClockSkew).Subtract(DateTime.UtcNow);
if (diff <= TimeSpan.Zero) return;
var halfWay = duration.TotalMinutes / 2;
var timeLeft = diff.TotalMinutes;
if (timeLeft <= halfWay)
{
e.ReissueCookie = true;
e.SessionToken =
new SessionSecurityToken(
token.ClaimsPrincipal,
token.Context,
DateTime.UtcNow,
DateTime.UtcNow.Add(duration))
{
IsPersistent = token.IsPersistent,
IsReferenceMode = token.IsReferenceMode
};
}
}
If you approve, you don't need to write it yourself, but you can call it from global.asax
:
public override void Init()
{
PassiveModuleConfiguration.EnableSlidingSessionExpirations();
}
See also Updating BootStrapContext with new SessionSecurityToken when using Sliding Sessions in WIF with SAM and Thinktecture IdentityModel for an issue with this: BootStrapToken serialized to current requirements Identity remains old.
source to share