asp.net - Is SessionSecurityToken lifeTime the same as sessionTokenRequirement lifetime? -

- May 15, 2010

i'm migrating forms authentication in webforms across microsoft identity.

when creating sessionsecuritytoken using claimsprincipal cp object, have code:

dim token new sessionsecuritytoken(cp, timespan.fromminutes(30))

however, in web.config see this:

<configsections>     <section name="system.identitymodel" type="system.identitymodel.configuration.systemidentitymodelsection, system.identitymodel, version=4.0.0.0, culture=neutral, publickeytoken=b77a5c561934e089" />     <section name="system.identitymodel.services" type="system.identitymodel.services.configuration.systemidentitymodelservicessection, system.identitymodel.services, version=4.0.0.0, culture=neutral, publickeytoken=b77a5c561934e089" /> </configsections> <system.identitymodel>     <identityconfiguration>         <securitytokenhandlers>             <add type="system.identitymodel.tokens.sessionsecuritytokenhandler, system.identitymodel, version=4.0.0.0, culture=neutral, publickeytoken=b77a5c561934e089">                 <sessiontokenrequirement lifetime="00:30:00" /><!-- 30 minutes -->               </add>         </securitytokenhandlers>     </identityconfiguration> </system.identitymodel>

are these same thing? prove rtfm, sessiontokenrequirement lifetime is defined as:

specifies lifetime of session tokens.

sessionsecuritytoken lifetime is defined as:

the period current time during token valid. validfrom property set utcnow , validto property set validfrom plus period specified parameter.

the former seems vague, i'm not sure.

in application federation or claims based authentication, there 2 entities - relying party (rp) , identity provider (idp)

in microsoft world, adfs typically idp, , application depends on adfs authentication rp.

on authentication, idp generates claims token signed idp certificate. rp accepts claims token - various validation including of digital signature using idp's certificate. upon successful validation of claims token, rp issues session token in form of cookie. default name of cookie fedauth. sessiontokenrequirement lifetime parameter associated fedauth token's lifetime.

sessionsucuritytoken lifetime associated lifetime of claims token issued idp.

please refer: http://brockallen.com/2013/02/14/configuring-session-token-lifetime-in-wif-with-the-session-authentication-module-sam-and-thinktecture-identitymodel/

http://msdn.microsoft.com/en-us/library/hh568645(v=vs.110).aspx

Search This Blog

Hide

asp.net - Is SessionSecurityToken lifeTime the same as sessionTokenRequirement lifetime? -

Comments

Post a Comment

Popular posts from this blog

java - Oracle EBS .ClassNotFoundException: oracle.apps.fnd.formsClient.FormsLauncher.class ERROR -

c# - how to use buttonedit in devexpress gridcontrol -

nvd3.js - angularjs-nvd3-directives setting color in legend as well as in chart elements -