Tuesday, July 10, 2012

Sliding sessions

Sliding sessions in SharePoint 2010

Published by fboerr on April 15th, 2011 3:29 pm under identity
No Comments

The scenario

In a SharePoint federated scenario, the user session has the same validity time as the SAML token.
If the user is inactive during a certain period of time, the session must expire.

Implementation in SharePoint

To achieve this behavior, SharePoint provides a configuration called LogonTokenCacheExpirationWindow.
The way it works is detailed in the chart below.
image

Global.asax

Re-issuing the token in every request to the server may have performance penalties so the code below is optimized to issue the session token after a certain period of time. Note that, by implementing this approach, the inactivity time after the user is signed out is half of the LogonTokenCacheExpirationWindow.
E.g.: If the LogonTokenCacheExpirationWindow is 40 minutes:
  • For the first 20 minutes the token is not reissued.
  • If the user interacts with the server during the last 20 minutes, a new session token is issued.
  • If the user is inactive during the last 20 minutes, he will be signed out.
The Global.asax of the SharePoint website has to be replaced/updated with the following code:
<%@ Application Language=”C#” Inherits=”Microsoft.SharePoint.ApplicationRuntime.SPHttpApplication”%>
<%@ Import Namespace=”System” %>
<%@ Import Namespace=”Microsoft.IdentityModel.Web” %>
<%@ Import Namespace=”Microsoft.SharePoint.IdentityModel” %>
<script Language=”C#” RunAt=”server”> public override void Init()
{
base.Init();
SessionAuthenticationModule sam = FederatedAuthentication.SessionAuthenticationModule;
sam.SessionSecurityTokenReceived += SessionAuthenticationModule_SessionSecurityTokenReceived;
}
private void SessionAuthenticationModule_SessionSecurityTokenReceived(object sender, SessionSecurityTokenReceivedEventArgs e)
{
double sessionLifetimeInMinutes = (e.SessionToken.ValidTo – e.SessionToken.ValidFrom).TotalMinutes;
TimeSpan logonTokenCacheExpirationWindow = TimeSpan.FromSeconds(1);
Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(delegate()
{
logonTokenCacheExpirationWindow =
Microsoft.SharePoint.Administration.Claims.SPSecurityTokenServiceManager.Local.LogonTokenCacheExpirationWindow;
});
DateTime now = DateTime.UtcNow;
DateTime validTo = e.SessionToken.ValidTo – logonTokenCacheExpirationWindow;
DateTime validFrom = e.SessionToken.ValidFrom;
if ((now < validTo) && (now > validFrom.AddMinutes((validTo – validFrom).TotalMinutes / 2)))
{
SPSessionAuthenticationModule spsam = sender as SPSessionAuthenticationModule;
e.SessionToken = spsam.CreateSessionSecurityToken(e.SessionToken.ClaimsPrincipal, e.SessionToken.Context,
now, now.AddMinutes(sessionLifetimeInMinutes), e.SessionToken.IsPersistent);
e.ReissueCookie = true;
}
}
</script>

Updating the LogonTokenCacheExpirationWindow in SharePoint using PowerShell

To update the LogonTokenCacheExpirationWindow, the following PowerShell has be ran.
This example shows how to set the window time to 40 minutes:
$sts = Get-SPSecurityTokenServiceConfig $sts.LogonTokenCacheExpirationWindow = (New-TimeSpan -minutes 40)
$sts.Update()
iisreset
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)