WIF滑动会话重新认证 [英] WIF sliding session re-authenticate
问题描述
我实现滑动在我的信赖方应用程序会话,为的滑动会话的WIF 4.5 。这一伟大的工程尽可能去,但有,它似乎没有人谈。一个问题
由于链接的博客文章指出,当RP令牌过期后,下一次做的请求,从STS令牌重发。假设,当然,那STS会话生命周期比RP的会话生命周期,这几乎是肯定的情况下,如果你正在实施的滑动会更长。
在任何情况下,这完全违背了滑动会议的整点。
什么似乎没有人谈的是当RP会话过期做什么。我的希望的是,如果RP会话超时(通常是因为有人走到离他的10分钟离开办公桌),是我的应用程序重定向到STS的登录页面,用户可以重新进行身份验证,然后重定向回我已请求的页面;或者给我,当我提出请求的页面。
我几乎可以肯定,这是可能的,但我完全不知道它是如何做。
下面是我的code从Global.asax的:
私人const int的InactivityTimeout = 5; // 分钟 无效SessionAuthenticationModule_SessionSecurityTokenReceived
(对象发件人,SessionSecurityTokenReceivedEventArgs E)
{
VAR现在= DateTime.UtcNow;
VAR validFrom = e.SessionToken.ValidFrom;
VAR validTo = e.SessionToken.ValidTo;
双halfSpan =(validTo - validFrom).TotalMinutes / 2;
如果(validFrom.AddMinutes(halfSpan)LT;现在和放大器;&安培;现在< validTo)
{
//添加更多的时间
VAR SAM =发件人为SessionAuthenticationModule; e.SessionToken = sam.CreateSessionSecurityToken(
e.SessionToken.ClaimsPrincipal,
e.SessionToken.Context,
现在,
now.AddMinutes(InactivityTimeout)
e.SessionToken.IsPersistent);
e.ReissueCookie = TRUE;
}
其他
{
//与STS重新认证
}
}
我的问题:
- 是
其他子句合适的地方把重认证逻辑? - 如果有,请提供一个例子,因为我不知道。
- 如果答案#1是否定的,那么有没有一个单独的事件,我需要订阅该会告诉我:嘿,你的会话安全令牌已过期!?
我建议你同步的STS和RP(S)会话生命周期。
您可以设置会话一辈子的STS 10分钟,在RP上10分钟,用RP上的滑动会议的做法。闲置10分钟后,两个会议将过期,用户应按规定重新验证。
如果您有多个RP可以实现保持活动从RP到STS的一种形式 - 例如在的RP每个网页加载从STS的资源。每当一个页面加载在一个RP,保持有效的资源将从STS加载 - 刷新STS会话。闲置10分钟后,他们将都超时,用户将不得不重新验证。
从STS的资源可能意味着一个网页在一个看不见的iframe中加载(Web窗体/ MVC)。重要的是,它是一个管理处理程序,以便请求是由ASP.NET处理。
至于你的问题,如果你同步会话寿命,使他们的时间一起出去:
- 不,你不需要添加任何code中的其他子句。如果令牌已过期,WIF会重定向到STS。
- 只需删除else子句。
- 让WIF处理这个给你。
有关完整性,如果不能同步会话寿命,你可以当RP会话过期引发联合注销。下面的代码片段触发器的配置发行人(STS)一signout。你可以把这个else子句中引发的第一个请求signout的RP会话过期后:
使用System.IdentityModel.Services; // WIF 4.5VAR stsAddress =新的URI(FederatedAuthentication.FederationConfiguration.WsFederationConfiguration.Issuer);
WSFederationAuthenticationModule.FederatedSignOut(stsAddress,NULL); //可选replyUrl设置为null
希望帮助!
I've implemented sliding sessions in my Relying Party application, as described in Sliding Sessions for WIF 4.5. That works great as far as it goes, but there's one problem that it seems nobody talks about.
As the linked blog post points out, when the RP token expires, the next time make a request the token is re-issued from the STS. Assuming, of course, that the STS session lifetime is longer than the RP's session lifetime, which is almost certainly the case if you're implementing sliding sessions.
In any event, that completely defeats the whole point of sliding sessions.
What nobody seems to talk about is what to do when the RP session expires. What I want is, if the RP session times out (usually because somebody walked away from his desk for 10 minutes), is for my application to redirect to the STS login page where the user can re-authenticate, and then be redirected back to the page I had requested; or perhaps to the page that I was on when I made the request.
I'm almost certain that this is possible, but I have absolutely no idea how it's done.
Here's my code from global.asax:
private const int InactivityTimeout = 5; // minutes
void SessionAuthenticationModule_SessionSecurityTokenReceived
(object sender, SessionSecurityTokenReceivedEventArgs e)
{
var now = DateTime.UtcNow;
var validFrom = e.SessionToken.ValidFrom;
var validTo = e.SessionToken.ValidTo;
double halfSpan = (validTo - validFrom).TotalMinutes/2;
if (validFrom.AddMinutes(halfSpan) < now && now < validTo)
{
// add more time
var sam = sender as SessionAuthenticationModule;
e.SessionToken = sam.CreateSessionSecurityToken(
e.SessionToken.ClaimsPrincipal,
e.SessionToken.Context,
now,
now.AddMinutes(InactivityTimeout),
e.SessionToken.IsPersistent);
e.ReissueCookie = true;
}
else
{
// re-authenticate with STS
}
}
My questions:
- Is the
elseclause the proper place to put the re-authentication logic? - If so, please provide an example, 'cause I have no idea.
- If the answer to #1 is no, then is there a separate event I need to subscribe to that will tell me "Hey, your session security token has expired!"?
I'd recommend you sync the session lifetimes on the STS and the RP(s).
You can set the session lifetime to 10 minutes on the STS and 10 minutes on the RP and use the sliding session approach on the RP. After 10 minutes of inactivity both sessions would expire and the user should be required to re-authenticate.
If you have multiple RPs you could implement a form of keep-alive from the RP to the STS - e.g. load a resource from the STS in every webpage on the RPs. Whenever a page is loaded on an RP, the keep-alive resource would be loaded from the STS - refreshing the STS session. After 10 minutes of inactivity they would both time out and the user would have to re-authenticate.
"A resource from the STS" could mean a web page (Web Forms/MVC) loaded in an invisible iframe. The important thing is that it's a managed handler so the request is handled by ASP.NET.
As for your questions, if you sync the session lifetimes so they time out together:
- No, you don't need to add any code in the else clause. If the token is expired, WIF will redirect to the STS.
- Just remove the else clause.
- Let WIF handle this for you.
For completeness, if you can't sync the session lifetimes you could trigger a federated sign-out when the RP session expires. The following snippet triggers a signout at the configured Issuer (STS). You could put this in the else clause to trigger a signout on the first request after the RP session expires:
using System.IdentityModel.Services; //WIF 4.5
var stsAddress = new Uri(FederatedAuthentication.FederationConfiguration.WsFederationConfiguration.Issuer);
WSFederationAuthenticationModule.FederatedSignOut(stsAddress, null); //Optional replyUrl set to null
Hope that helps!
这篇关于WIF滑动会话重新认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
