views:

64

answers:

2

I'm using the Windows Identity Foundation (WIF) Security Token Service (STS) to handle authentication for my application which is working all well and good. However I can't seem to get any long running login with the STS.

From my understanding I shouldn't care about the client tokens at the application level since they can expire all they want to and it should redirect me to the STS and as long as they're still logged in on the STS it should refresh their application token. Yet it doesn't seem to want to keep them signed in.

Here's what occurs in my login.aspx on the STS

var cookie = FormsAuthentication.GetAuthCookie(userName, persistTicket);

if (persistTicket)
    cookie.Expires = DateTime.Now.AddDays(14);

Response.Cookies.Add(cookie);

var returnUrl = Request.QueryString["ReturnUrl"];
Response.Redirect(returnUrl ?? "default.aspx");

Which was taken almost directly from existing application using normal Forms Auth.

From my web.config

<authentication mode="Forms">
      <forms loginUrl="Login.aspx" protection="All" timeout="2880" 
      name=".STS" path="/" requireSSL="false" slidingExpiration="true" 
      defaultUrl="default.aspx" cookieless="UseDeviceProfile" 
      enableCrossAppRedirects="false" />
</authentication>

Looking at the cookie after I sign in I can see the expires time on the cookie is set for 14 days in the future and that the cookie is NOT a session cookie.

When I'm required to log back into the STS I can see that my original cookie is still there.

Is there some kind of time stamp functionality that the STS embeds into the cookie that is invalidating my cookie even though as far as I know it should still be valid?

A: 

If you are using passive redirects, do you have persistentCookiesOnPassiveRedirects set to true?

<wsFederation passiveRedirectEnabled="true"
    persistentCookiesOnPassiveRedirects="true" />
uosɐſ
This wasn't what I was looking for since this would create a persistent client site ticket as opposed to persistent STS server ticket but it connected the thought process that allowed me to understand the real issue. So I awarded you the bounty for your aid.
Chris Marisic
Thanks. I'm sorry it wasn't more on target, but I'm glad you solved it anyway.
uosɐſ
+1  A: 

After reading the suggestion from @uosel this lead me down the path of doing more indepth analysis on what exactly is occurring here. Whereas my goal is to create a persistent cookie only for the STS itself and not for the STS consuming sites. This way I can always validate the user at the STS level at any expiration of a STS consuming site.

With more locomotion in this train of thought it dawned on me that the STS starter site uses forms auth to secure the actual WIF authorization that occurs in the index.aspx. That the issue was I had no logic that would use an existing forms auth ticket to process the transfer to the forms auth secured index page.

This lead me to a solution similar to

if(User.Identity.IsAuthenticated)
{    
    if(IsValidUserCredentials())
    {
       var returnUrl = Request.QueryString["ReturnUrl"];
       Response.Redirect(returnUrl ?? "default.aspx");
    }    
}
else
{
    DisplayLoginForm()
}
Chris Marisic