/// <summary>
/// Enables sliding expiration behavior of the user's session.
/// </summary>
/// <param name="e">The <see cref="SessionSecurityTokenReceivedEventArgs"/> instance containing the event data.</param>
protected override void OnSessionSecurityTokenReceived(SessionSecurityTokenReceivedEventArgs e)
{
base.OnSessionSecurityTokenReceived(e);
if (IsSlidingExpiration)
{
if (NeedsRenew(e.SessionToken))
{
var timeout = e.SessionToken.IsPersistent
? Timeout
: TimeSpan.FromMinutes(SessionHelpers.GetSessionTimeoutInMinutes);
e.SessionToken = CreateSessionSecurityToken(
e.SessionToken.ClaimsPrincipal,
e.SessionToken.Context,
DateTime.UtcNow,
DateTime.UtcNow.Add(timeout),
e.SessionToken.IsPersistent);
e.ReissueCookie = true;
}
}
if (e.SessionToken.ValidTo < DateTime.UtcNow)
{
DeleteSessionTokenCookie();
e.Cancel = true;
}
}
void SessionAuthenticationModule_SessionSecurityTokenReceived(object sender,
SessionSecurityTokenReceivedEventArgs e)
{
System.Diagnostics.Trace.WriteLine("Handling SessionSecurityTokenReceived event");
// https://brockallen.com/2013/02/17/sliding-sessions-in-wif-with-the-session-authentication-module-sam-and-thinktecture-identitymodel/
SessionAuthenticationModule sam = FederatedAuthentication.SessionAuthenticationModule;
var handler =
(SessionSecurityTokenHandler)FederatedAuthentication.FederationConfiguration.IdentityConfiguration
.SecurityTokenHandlers[typeof(SessionSecurityToken)];
Console.WriteLine("Session Time {0} {1} {2} {3}", handler.TokenLifetime, DateTime.UtcNow,
e.SessionToken.ValidFrom, e.SessionToken.ValidTo);
/*var token = e.SessionToken;
*
* e.SessionToken =
* new SessionSecurityToken(
* token.ClaimsPrincipal,
* token.Context,
* DateTime.UtcNow,
* DateTime.UtcNow.AddMinutes(handler.TokenLifetime.Minutes))
* {
* IsPersistent = token.IsPersistent,
* IsReferenceMode = token.IsReferenceMode
* };
*
* e.ReissueCookie = true;*/
}
protected void SessionAuthenticationModule_SessionSecurityTokenReceived(object sender, SessionSecurityTokenReceivedEventArgs e)
{
// Initialize session timeout value from web.config
InitializeSessionTimeout();
var securityTokenHandler = ServiceConfiguration.SecurityTokenHandlers[typeof(SessionSecurityToken)] as SessionSecurityTokenHandler;
var maxClockSkew = securityTokenHandler.Configuration.MaxClockSkew;
DateTime now = DateTime.UtcNow;
DateTime validFrom = e.SessionToken.ValidFrom;
DateTime validTo = e.SessionToken.ValidTo;
double halfSpan = (validTo - validFrom).TotalMinutes / 2;
// Reissue sliding expiration token only if we're in the second half of the active session period.
// WIF book says this is the same strategy used by out-of-the-box ASP.NET Forms Authentication
if (validFrom.AddMinutes(halfSpan) < now && now < validTo.Add(maxClockSkew))
{
var sam = sender as SessionAuthenticationModule;
e.SessionToken = sam.CreateSessionSecurityToken(
e.SessionToken.ClaimsPrincipal,
e.SessionToken.Context,
now, now.AddMinutes(sessionTimeout.TotalMinutes), e.SessionToken.IsPersistent);
e.ReissueCookie = true;
}
}
void SessionAuthenticationModule_SessionSecurityTokenReceived(object sender, SessionSecurityTokenReceivedEventArgs e)
{
System.Diagnostics.Trace.WriteLine("Handling SessionSecurityTokenReceived event");
//var token = FederatedAuthentication.SessionAuthenticationModule.CreateSessionSecurityToken(e.SessionToken.ClaimsPrincipal, e.SessionToken.Context, e.SessionToken.ValidFrom, e.SessionToken.ValidTo, true);
//FederatedAuthentication.SessionAuthenticationModule.AuthenticateSessionSecurityToken(token, true);
}
/// <summary>
/// Module Event Hanlder.
/// Handles the SessionSecurityTokenReceived event of the SessionAuthenticationModule.
/// See 'Programming WIF', p.74 for more details.
/// </summary>
void SessionAuthenticationModule_SessionSecurityTokenReceived(object sender, SessionSecurityTokenReceivedEventArgs e)
{
var identity = (IClaimsIdentity)e.SessionToken.ClaimsPrincipal.Identity;
if (String.IsNullOrEmpty(identity.Label))
{
Claim nameIdentifierClaim = identity.Claims.FirstOrDefault(c => c.ClaimType == ClaimTypes.NameIdentifier);
User user;
if (UserRepository.Instance.TryGetUser(nameIdentifierClaim.Value, out user))
{
identity.Label = user.Name;
}
}
}
void SessionAuthenticationModule_SessionSecurityTokenReceived(object sender, SessionSecurityTokenReceivedEventArgs e)
{
int minutes = 60;
DateTime now = DateTime.UtcNow;
DateTime validTo = e.SessionToken.ValidTo;
//This can reduce token updates count
if (now < validTo)
{
SessionAuthenticationModule sam = sender as SessionAuthenticationModule;
e.SessionToken = sam.CreateSessionSecurityToken(e.SessionToken.ClaimsPrincipal, e.SessionToken.Context, now, now.AddMinutes(minutes), e.SessionToken.IsPersistent);
e.ReissueCookie = true;
}
}
private void SessionAuthenticationModule_SessionSecurityTokenReceived(object sender, SessionSecurityTokenReceivedEventArgs e)
{
var now = DateTime.UtcNow;
var validFrom = e.SessionToken.ValidFrom;
var validTo = e.SessionToken.ValidTo;
// If the user is in the second half of their session
if (now < validTo && now > validFrom.Add(new TimeSpan((validTo.Ticks - validFrom.Ticks) / 2)))
{
var module = (SessionAuthenticationModule)sender;
e.SessionToken = module.CreateSessionSecurityToken(e.SessionToken.ClaimsPrincipal, e.SessionToken.Context,
now, now.AddMinutes(ConfigurationSettings.SESSION_TOKEN_REISSUE_DURATION_MINUTES), e.SessionToken.IsPersistent);
e.ReissueCookie = true;
}
}
protected override void OnSessionSecurityTokenReceived(SessionSecurityTokenReceivedEventArgs args)
{
base.OnSessionSecurityTokenReceived(args);
// Implement Sliding Sessions for Inactivity Timeout
DateTime now = DateTime.UtcNow;
DateTime validFrom = args.SessionToken.ValidFrom;
DateTime validTo = args.SessionToken.ValidTo;
double timeout = (validTo - validFrom).TotalMinutes;
// Reissue new session tokens if half of session lifetime has elapsed.
if (validFrom.AddMinutes(timeout / 2) < now && now < validTo)
{
args.SessionToken = this.CreateSessionSecurityToken(args.SessionToken.ClaimsPrincipal, args.SessionToken.Context, now, now.AddMinutes(timeout), args.SessionToken.IsPersistent);
args.ReissueCookie = true;
}
}
/// <summary>
/// Checks the current security token.
/// Updates the lifetime if the token is older than 5 minutes.
/// Deletes the token if it's expired.
/// </summary>
/// <param name="sam"></param>
/// <param name="e"></param>
/// <returns></returns>
public static void CheckSecurityToken(SessionAuthenticationModule sam, SessionSecurityTokenReceivedEventArgs e)
{
var now = DateTime.UtcNow;
var sst = e.SessionToken;
var validFrom = sst.ValidFrom;
var validTo = sst.ValidTo;
if (validTo > now && validFrom.AddMinutes(5) < now)
{
e.SessionToken = sam.CreateSessionSecurityToken(sst.ClaimsPrincipal, sst.Context, now, now + (validTo - validFrom), sst.IsPersistent);
e.ReissueCookie = true;
}
else if (validTo < now)
{
sam.DeleteSessionTokenCookie();
HttpContext.Current.Response.Redirect(HttpContext.Current.Request.RawUrl);
}
}
/// <summary>
/// Extend the lifetime of current user's session token (SharePoint FEDAUTH cookie) if the token is still valid and half of the lifetime has passed.
/// </summary>
/// <param name="sender">the event source</param>
/// <param name="e">the event arguments</param>
void SessionAuthenticationModule_SessionSecurityTokenReceived(object sender, SessionSecurityTokenReceivedEventArgs e)
{
double sessionLifetimeInMinutes = (e.SessionToken.ValidTo - e.SessionToken.ValidFrom).TotalMinutes;
var logonTokenCacheExpirationWindow = TimeSpan.FromSeconds(1);
SPSecurity.RunWithElevatedPrivileges(delegate()
{
logonTokenCacheExpirationWindow = Microsoft.SharePoint.Administration.Claims.SPSecurityTokenServiceManager.Local.LogonTokenCacheExpirationWindow;
});
DateTime now = DateTime.UtcNow;
DateTime validTo = e.SessionToken.ValidTo - logonTokenCacheExpirationWindow;
DateTime validFrom = e.SessionToken.ValidFrom;
if ((now < validTo) && (now > validFrom.AddMinutes((validTo - validFrom).TotalMinutes / 2)))
{
SessionAuthenticationModule sam = FederatedAuthentication.SessionAuthenticationModule;
e.SessionToken = sam.CreateSessionSecurityToken(e.SessionToken.ClaimsPrincipal,
e.SessionToken.Context, now, now.AddMinutes(sessionLifetimeInMinutes), e.SessionToken.IsPersistent);
e.ReissueCookie = true;
}
}
void SessionAuthenticationModule_SessionSecurityTokenReceived(object sender, SessionSecurityTokenReceivedEventArgs e)
{
var a = e.SessionToken;
}
protected void SessionAuthenticationModule_SessionSecurityTokenReceived(object sender, SessionSecurityTokenReceivedEventArgs e)
{
var now = DateTime.UtcNow;
var validFrom = e.SessionToken.ValidFrom;
var validTo = e.SessionToken.ValidTo;
var sessionLifetime = validTo.Subtract(e.SessionToken.ValidFrom);
var sessionTimeHasExpired = now > validTo;
var sessionTimeIsHalfExpired = now > validFrom.AddMinutes(sessionLifetime.TotalMinutes / 2);
// http://www.michael-mckenna.com/Blog/2013/2/the-problem-with-absolute-token-expiration-in-windows-identity-foundation-wif
if (!sessionTimeHasExpired && sessionTimeIsHalfExpired)
{
// If the session has not expired but the session lifetime is already half spent, reissue the cookie.
e.SessionToken = (sender as SessionAuthenticationModule).CreateSessionSecurityToken(e.SessionToken.ClaimsPrincipal, e.SessionToken.Context,
now, now.AddMinutes(sessionLifetime.TotalMinutes), e.SessionToken.IsPersistent);
e.ReissueCookie = true;
}
}
private void SessionSecurityTokenReceived(object sender, SessionSecurityTokenReceivedEventArgs e)
{
HttpContext.Current.Items["WSSessionSecurityTokenReceived"] = true;
}
protected void SessionAuthenticationModule_SessionSecurityTokenReceived(object sender, SessionSecurityTokenReceivedEventArgs e)
{
var es = e.SessionToken;
System.Diagnostics.Trace.WriteLine("Handling SessionSecurityTokenReceived event");
}
protected void SessionAuthenticationModule_SessionSecurityTokenReceived(object sender, SessionSecurityTokenReceivedEventArgs e)
{
// The sliding expiration implementation will extend the token validity interval based on the current interval length when it is detected as expired.
var utcNow = DateTime.UtcNow;
var validFrom = e.SessionToken.ValidFrom;
var validTo = e.SessionToken.ValidTo;
if (validTo > utcNow)
{
return;
}
var sessionAuthenticationModule = sender as SessionAuthenticationModule;
if (sessionAuthenticationModule == null)
{
return;
}
var slidingExpiration = validTo - validFrom;
var newValidTo = utcNow + slidingExpiration;
e.SessionToken = sessionAuthenticationModule.CreateSessionSecurityToken(
e.SessionToken.ClaimsPrincipal, e.SessionToken.Context, utcNow, newValidTo, e.SessionToken.IsPersistent);
e.ReissueCookie = true;
}
protected void SessionAuthenticationModule_SessionSecurityTokenReceived( object sender, SessionSecurityTokenReceivedEventArgs e )
{
Logger.Debug(string.Format("SessionAuthenticationModule_SessionSecurityTokenReceived. Session security token has been read from a cookie. ValidTo: {0}. ValidFrom: {1} DateTime Utc: {2}", e.SessionToken.ValidTo, e.SessionToken.ValidFrom, DateTime.UtcNow));
// The sliding expiration implementation will extend the token validity interval based on the current interval length when it is detected as expired.
var utcNow = DateTime.UtcNow;
var validFrom = e.SessionToken.ValidFrom;
var validTo = e.SessionToken.ValidTo;
if ( validTo > utcNow )
{
return;
}
var sessionAuthenticationModule = sender as SessionAuthenticationModule;
if ( sessionAuthenticationModule == null )
{
return;
}
var slidingExpiration = validTo - validFrom;
var newValidTo = utcNow + slidingExpiration;
e.SessionToken = sessionAuthenticationModule.CreateSessionSecurityToken (
e.SessionToken.ClaimsPrincipal, e.SessionToken.Context, utcNow, newValidTo, e.SessionToken.IsPersistent );
e.ReissueCookie = true;
Logger.Debug( string.Format( "Expired session token detected. ReissueCookie called to create new session token from SessionAuthenticationModule_SessionSecurityTokenReceived. ValidTo: {0}. ValidFrom: {1} DateTime Utc: {2}", e.SessionToken.ValidTo, e.SessionToken.ValidFrom, DateTime.UtcNow ) );
}
private void SessionAuthenticationModule_SessionSecurityTokenReceived(object sender, SessionSecurityTokenReceivedEventArgs e)
{
// Handle a user inactivity timeout.
if (e.SessionToken.ValidTo < DateTime.UtcNow)
{
// Remove the application cookies, etc.
WSFederationAuthenticationModule WsFam = FederatedAuthentication.WSFederationAuthenticationModule;
WsFam.SignOut(false);
// Uncomment the following to end the session with AAD on inactivity timeout. But this will result in a single sign out from all apps.
//SignOutRequestMessage signOutRequestMessage = new SignOutRequestMessage(new Uri(WsFam.Issuer), WsFam.Reply + "Account/Logout");
//String signOutRequest = signOutRequestMessage.WriteQueryString() + "&wtrealm=" + WsFam.Realm;
//Response.Redirect(signOutRequest);
}
}
/// <summary>
/// Enables sliding expiration behavior of the user's session.
/// </summary>
/// <param name="e">The <see cref="SessionSecurityTokenReceivedEventArgs"/> instance containing the event data.</param>
protected override void OnSessionSecurityTokenReceived(SessionSecurityTokenReceivedEventArgs e)
{
base.OnSessionSecurityTokenReceived(e);
if (IsSlidingExpiration)
{
if (NeedsRenew(e.SessionToken))
{
var timeout = e.SessionToken.IsPersistent
? Timeout
: TimeSpan.FromMinutes(SessionHelpers.GetSessionTimeoutInMinutes);
e.SessionToken = CreateSessionSecurityToken(
e.SessionToken.ClaimsPrincipal,
e.SessionToken.Context,
DateTime.UtcNow,
DateTime.UtcNow.Add(timeout),
e.SessionToken.IsPersistent);
e.ReissueCookie = true;
}
}
if (e.SessionToken.ValidTo < DateTime.UtcNow)
{
DeleteSessionTokenCookie();
e.Cancel = true;
}
}
protected void SessionAuthenticationModule_SessionSecurityTokenReceived(object sender, SessionSecurityTokenReceivedEventArgs e)
{
Logger.Debug(string.Format("SessionAuthenticationModule_SessionSecurityTokenReceived. Session security token has been read from a cookie. ValidTo: {0}. ValidFrom: {1} DateTime Utc: {2}", e.SessionToken.ValidTo, e.SessionToken.ValidFrom, DateTime.UtcNow));
// The sliding expiration implementation will extend the token validity interval based on the current interval length when it is detected as expired.
var utcNow = DateTime.UtcNow;
var validFrom = e.SessionToken.ValidFrom;
var validTo = e.SessionToken.ValidTo;
if (validTo > utcNow)
{
return;
}
var sessionAuthenticationModule = sender as SessionAuthenticationModule;
if (sessionAuthenticationModule == null)
{
return;
}
var slidingExpiration = validTo - validFrom;
var newValidTo = utcNow + slidingExpiration;
e.SessionToken = sessionAuthenticationModule.CreateSessionSecurityToken(
e.SessionToken.ClaimsPrincipal, e.SessionToken.Context, utcNow, newValidTo, e.SessionToken.IsPersistent);
e.ReissueCookie = true;
Logger.Debug(string.Format("Expired session token detected. ReissueCookie called to create new session token from SessionAuthenticationModule_SessionSecurityTokenReceived. ValidTo: {0}. ValidFrom: {1} DateTime Utc: {2}", e.SessionToken.ValidTo, e.SessionToken.ValidFrom, DateTime.UtcNow));
}
void SessionAuthenticationModule_SessionSecurityTokenReceived(object sender, SessionSecurityTokenReceivedEventArgs e)
{
}
void SessionAuthenticationModule_SessionSecurityTokenReceived(object sender, SessionSecurityTokenReceivedEventArgs e)
{
//throw new NotImplementedException();
}
private void CustomAuthenticationModule_SessionSecurityTokenReceived(object sender, SessionSecurityTokenReceivedEventArgs e)
{
Debug.WriteLine("SessionSecurityTokenReceived. SessionSecurityToken:" + e.SessionToken.Id + " KeyExpirationTime:" + e.SessionToken.KeyExpirationTime);
}
private void CustomAuthenticationModule_SessionSecurityTokenReceived(object sender, SessionSecurityTokenReceivedEventArgs e)
{
Debug.WriteLine("SessionSecurityTokenReceived. SessionSecurityToken:" + e.SessionToken.Id + " KeyExpirationTime:" + e.SessionToken.KeyExpirationTime);
}
