Session Token Security
Session Token Security
Session Token Security
Defines a security token that contains data associated with a session.
public ref class SessionSecurityToken : System::IdentityModel::Tokens::SecurityToken
[System.Serializable] public class SessionSecurityToken : System.IdentityModel.Tokens.SecurityToken
type SessionSecurityToken = class inherit SecurityToken
Public Class SessionSecurityToken Inherits SecurityToken
A session token stores the ClaimsPrincipal of the user that is associated with a session as well as other parameters that define the session; for example the session start and end times.
In passive scenarios, the WSFederationAuthenticationModule calls into the SessionAuthenticationModule (SAM) from the authentication pipeline to create a session token from the ClaimsPrincipal that represents the authenticated user. The SAM uses its configured SessionSecurityTokenHandler to create the token and to serialize it into a cookie (and to deserialize the token from a cookie on subsequent requests). The SAM uses an instance of its configured CookieHandler class to write the cookie back to the HTTP Response. This cookie is then returned to the client and on subsequent requests the client can present the cookie rather than making a round trip back to the identity provider to re-obtain a security token. For more information about how sessions operate with WIF, see WIF Session Management. For information about using sessions in Web farm scenarios, see WIF and Web Farms.
A session token can operate in either reference mode or not. If the session token is not operating in reference mode, the entire token is serialized into the session cookie that is stored on the client. The serialized session token can be quite large and thus the cookie stored on the client can also be quite sizeable. In reference mode, rather than serializing the entire session token into the cookie, the token is stored in a session security token cache and only the information used to generate the key necessary to retrieve the token from the cache is stored in the cookie. This can greatly reduce the size of the cookie. The session token cache is implemented by a class derived from SessionSecurityTokenCache and the cache key is implemented by the SessionSecurityTokenCacheKey class. The ContextId and KeyGeneration properties are used in the SessionSecurityTokenCacheKey class to generate the cache key.
The IsReferenceMode property determines whether the session token is in reference mode or not.
To operate in reference mode, Microsoft recommends providing a handler for the WSFederationAuthenticationModule.SessionSecurityTokenCreated event in the global.asax.cs file and setting the IsReferenceMode property on the token passed in the SessionSecurityTokenCreatedEventArgs.SessionToken property. This will ensure that the session token operates in reference mode for every request and is favored over merely setting the SessionAuthenticationModule.IsReferenceMode property on the Session Authentication Module.
The SessionSecurityTokenHandler class provided with WIF serializes the session token as a WS-Secure Conversation
|ClaimsPrincipal ClaimsPrincipal ClaimsPrincipal ClaimsPrincipal||
Gets the claims principal associated with the session.
|Context Context Context Context||
Gets a user specified context value.
|ContextId ContextId ContextId ContextId||
Gets the session context identifier
|EndpointId EndpointId EndpointId EndpointId||
Gets the ID of the endpoint to which this token is scoped.
|Id Id Id Id||
Gets the unique identifier of this token.
|IsPersistent IsPersistent IsPersistent IsPersistent||
Gets or sets a value that indicates whether the cookie represented by this token is persistent.
|IsReferenceMode IsReferenceMode IsReferenceMode IsReferenceMode||
Gets or sets a value that indicates whether the session security token is operating in reference mode.
|KeyEffectiveTime KeyEffectiveTime KeyEffectiveTime KeyEffectiveTime||
Gets the time instant from which the key in this token is valid.
|KeyExpirationTime KeyExpirationTime KeyExpirationTime KeyExpirationTime||
Gets the time instant after which the key in this token is no longer valid.
|KeyGeneration KeyGeneration KeyGeneration KeyGeneration||
Gets the identifier for the key generation in this token
|SecureConversationVersion SecureConversationVersion SecureConversationVersion SecureConversationVersion||
Gets a URI that identifies the version of WS-Secure Conversation that is used to serialize this session security token.
|SecurityKeys SecurityKeys SecurityKeys SecurityKeys||
Gets the keys associated with this session. This is usually a single key.
|ValidFrom ValidFrom ValidFrom ValidFrom||
Gets the time instant from which the token is valid.
|ValidTo ValidTo ValidTo ValidTo||
Gets the time instant after which the token is no longer valid.