Set Azure AppFabric Access Control Service cookie expiration time

2
votes

I'm using Azure's Access Control Service in an ASP.NET MVC 3 application. I can successfully login, read all the claim data I need etc. Everything works fine, except for one thing. After some time (less than an hour) the authentication cookies seem to expire (at least they don't show up in the request's cookie collection anymore).

I'm still using the development emulation, without SSL (except for the authentication service itself).

I am using the following action filter to restrict access to some controllers:

public class PersonLoginFilter : ActionFilterAttribute, IActionFilter
{
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        base.OnActionExecuting(filterContext);

        // Check whether the user is logged in
        if (filterContext.HttpContext.Request.IsAuthenticated)
        {
             // ...
        }
    }
}

How can I increase the expiration time? Or would it be appropriate to manually renew the cookies in my action filter?

Thanks in advance!

1
c#asp.net-mvc-3httpcookieazure-appfabricaccesscontrolservice

1 Answers

2
votes

The token that ACS generates also has an expiration time (which you can set in the management portal, with a max of around 24hrs) but you can also set a value in the web.config

<securityTokenHandlers> 
<add type="Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler..."> 
<sessionTokenRequirement lifetime="0:02" /> 
</add> 
</securityTokenHandlers>

ASP.NET takes the smallest value of the two.

For more information I'd suggest this blog post: http://blogs.msdn.com/b/vbertocci/archive/2010/06/16/warning-sliding-sessions-are-closer-than-they-appear.aspx

It doesn't answer your question explicitly but it covers the concepts regarding expiration in it's discussion of a Sliding Session Security Token.