SessionAuthenticationModule.SessionSecurityTokenReceived Event


Occurs when a session security token has been read from a cookie.

 event EventHandler<System::IdentityModel::Services::SessionSecurityTokenReceivedEventArgs ^> ^ SessionSecurityTokenReceived;
public event EventHandler<System.IdentityModel.Services.SessionSecurityTokenReceivedEventArgs> SessionSecurityTokenReceived;
member this.SessionSecurityTokenReceived : EventHandler<System.IdentityModel.Services.SessionSecurityTokenReceivedEventArgs> 
Public Event SessionSecurityTokenReceived As EventHandler(Of SessionSecurityTokenReceivedEventArgs) 


The following code shows a handler for the SessionSecurityTokenReceived event implemented in the global.asax.cs file of an ASP.NET web application. You must also add the handler to the event. A more complete example is shown in the SessionAuthenticationModule overview topic.

void SessionAuthenticationModule_SessionSecurityTokenReceived(object sender, SessionSecurityTokenReceivedEventArgs e)
    System.Diagnostics.Trace.WriteLine("Handling SessionSecurityTokenReceived event");


The SessionSecurityTokenReceived event is raised from within the OnAuthenticateRequest method after a session token (SessionSecurityToken) has been successfully read from the session cookie.

You can use this event to modify properties of the session token before it is passed further along the pipeline and is used to authenticate the entity making the request (user). One of the most common scenarios involves modifying the session expiration time (accessible through the SessionSecurityToken.ValidTo property) to override the session expiration time set in configuration through the lifetime attribute of the <sessionTokenRequirement> element. By modifying this property on each request, you can implement a sliding session; that is, a session in which the lifetime is extended each time the user accesses the site.

In an event handler, you can access the token through the SessionSecurityTokenReceivedEventArgs.SessionToken property. After modifying the token, you can ensure that it is written back to the cookie by setting the SessionSecurityTokenReceivedEventArgs.ReissueCookie to true. Finally, the SessionSecurityTokenReceived event is a cancelable event, and you can set the Cancel property of the SessionSecurityTokenReceivedEventArgs to abort further processing of the request.

Applies to