10

We are having problems with Safari(and Opera) and from what I have read the FedAuth cookies are just too big.

There is an "neat trick" to fix this: "WIF RTM added a property to the SessionAuthenticationModule, IsSessionMode. When flipped to true, IsSessionMode has the effect of ensuring that the SessionSecurityToken remains in the cache for the whole duration of the session and generating a cookie which contains just a session identifier rather than the content of the session itself."

I have this code in global.asax:

void WSFederationAuthenticationModule_SessionSecurityTokenCreated(object sender, Microsoft.IdentityModel.Web.SessionSecurityTokenCreatedEventArgs e)
{
    FederatedAuthentication.SessionAuthenticationModule.IsSessionMode = true;
}

The Problem , "FederatedAuthentication.SessionAuthenticationModule.IsSessionMode = true" never runs ... why?

Is it related to the "PassiveSignInControl" to set IsSessionMode to true?

MSDN Post

your-fedauth-cookies-on-a-diet-issessionmode-true.aspx

From the book "Programming Windows® Identity Foundation":

"An interesting property of the SAM is IsSessionMode. When set to true, IsSessionMode has the effect of storing the bulk of the session on a server-side token cache instead of writing everything in the cookie. The cookie itself will just contain a small context identifier, which will be used for retrieving the session on the server. Unfortunately, in this version of the92 Part II Windows Identity Foundation for Identity Developers product there is no way to set IsSessionMode from the configuration file. You can set it via a property of the PassiveSignInControl, or in the global.asax file as follows(same code as above)"

ΩmegaMan
  • 29,542
  • 12
  • 100
  • 122
DoctorArnar
  • 160
  • 1
  • 8
  • OKay, it may sound after reading this comment like I have not been trying this for long but that's not true. I thought "WSFederationAuthenticationModule_SessionSecurityTokenCreated" would run each time a user logged in, now it runs at "random" with long brakes. It might be running when it's renewing the cookie. When is "WSFederationAuthenticationModule_SessionSecurityTokenCreated" supposed to run?? – DoctorArnar Oct 19 '11 at 19:24

4 Answers4

8

Old thread, but I believe SessionSecurityTokenCreated is the proper event to handle this--tested it and it works under "old WIF" and NET 4.5 with the appropriate namespace variations.

void WSFederationAuthenticationModule_SessionSecurityTokenCreated(object sender, System.IdentityModel.Services.SessionSecurityTokenCreatedEventArgs e)
{
    e.SessionToken.IsReferenceMode = true;
}
SKradel
  • 138
  • 2
  • 7
  • http://msdn.microsoft.com/en-us/library/system.identitymodel.tokens.sessionsecuritytoken.isreferencemode(v=vs.110).aspx *To operate in reference mode, Microsoft recommends providing a handler for the WSFederationAuthenticationModule.SessionSecurityTokenCreated event ... setting the IsReferenceMode property on the token passed in the SessionSecurityTokenCreatedEventArgs.SessionToken property. This will ensure that the session token operates in reference mode for every request and is favored over merely setting the SessionAuthenticationModule.IsReferenceMode property...* – ta.speot.is Jul 20 '14 at 23:25
3

Have you registered your event handler for the SessionSecurityTokenCreated event?

FederatedAuthentication.WSFederationAuthenticationModule.SessionSecurityTokenCreated 
    += this.WSFederationAuthenticationModule_SessionSecurityTokenCreated;

This line needs to be added to the Application_Start medthod in your Global.asax file.

The FederatedAuthentication class in in the namespace Microsoft.IdentityModel.Web.

Peter
  • 3,916
  • 1
  • 22
  • 43
  • 1
    We tried that and I don't have it in Application_Start because: `WSFederationAuthenticationModule 'Microsoft.IdentityModel.Web.FederatedAuthentication.WSFederationAuthenticationModule' threw an exception of type 'System.NullReferenceException' Microsoft.IdentityModel.Web.WSFederationAuthenticationModule {System.NullReferenceException}` – DoctorArnar Oct 20 '11 at 16:20
0

Hi try this: instead of the SessionSecurityTokenCreated event use the SecurityTokenValidated

In the global.ascx

void WSFederationAuthenticationModule_SecurityTokenValidated(object sender, SecurityTokenValidatedEventArgs e) 
{   
    FederatedAuthentication.SessionAuthenticationModule.IsSessionMode = true; 
}

Check the comment from Dominick Baier blog

cleftheris
  • 4,626
  • 38
  • 55
0

One important thing to note is how to handle SecurityTokenValidated and SessionSecurityTokenCreated events of WSFederationAuthenticationModule class.

Alternative 1 — auto event wire up in global.asax (explicit method names without manual wiring to events):

void WSFederationAuthenticationModule_SecurityTokenValidated(object sender, SecurityTokenValidatedEventArgs e)
{
    FederatedAuthentication.SessionAuthenticationModule.IsReferenceMode = true;
}

// or

void WSFederationAuthenticationModule_SessionSecurityTokenCreated(object sender, SessionSecurityTokenCreatedEventArgs e)
{
    e.SessionToken.IsReferenceMode = true;
}

Alternative 2 — manual method wiring to events in global.asax. The point is that it must not be in Application_Start but in overriden Init:

void Application_Start(object sender, EventArgs e)
{
    // Called only once on application start
    // This is not the right place to wire events for all HttpApplication instances
}

public override void Init()
{
    // Called for each HttpApplication instance
    FederatedAuthentication.WSFederationAuthenticationModule.SecurityTokenValidated += STV;
    FederatedAuthentication.WSFederationAuthenticationModule.SessionSecurityTokenCreated += SSTC;
}

void STV(object sender, SecurityTokenValidatedEventArgs e)
{
    FederatedAuthentication.SessionAuthenticationModule.IsReferenceMode = true;
}

// or

void SSTC(object sender, SessionSecurityTokenCreatedEventArgs e)
{
    e.SessionToken.IsReferenceMode = true;
}
tibx
  • 840
  • 13
  • 20