3

I have a passive STS set up for a new application I'm working on.

I've noticed that when a user's session expires, the user is still authenticated. I would have thought that when the session expires, the user would no longer be authenticated. My boss discussed this with me as I am currently charged with setting up the authentication. He says that it would be good if we could make the user's log on expire after a certain period of inactivity similar to how the session expires.

I am familiar with how to sign a user out with a few lines of code. How can I make it so that the user is automatically signed out after a specified period of inactivity?

Currently, I have some code in the global.asax file that programmatically checks when the last request was and compares it to the current time; it then signs the user out if a certain period of time has expired.

Vivian River
  • 31,198
  • 62
  • 198
  • 313

1 Answers1

3

Peter Kron has proposed an answer in your MSDN thread:

Handle the SessionSecurityTokenCreated event raised by WSFederationAuthenticationModule. In that you can create a new SessionSecurityToken from the proposed token, and set the lifetime as you please.

http://social.msdn.microsoft.com/Forums/en-US/Geneva/thread/6b6d51ea-9c15-4744-800b-dd1379b495c3

Andrew Lavers
  • 8,023
  • 1
  • 33
  • 50
  • With so many things on my plate, I had actually forgotten that I started that thread. Thanks! – Vivian River Jun 15 '10 at 14:20
  • 1
    You must also put `e.ReissueCookie = true` in the handler method or else it won't work :-/ – Vivian River Jun 23 '10 at 15:02
  • This doesn't work for me. I have wired in the same, but the "Created" event DOES NOT HAVE a `"e.ReissueCookie"` property, and I keep reading how critical this is. My expiration is getting set correctly, but I'm still authenticated well beyond the expiration date. – Nexxas Nov 02 '11 at 18:36