To make it short: to switch to SessionMode (cache to server) in ASP.NET, you need to handle an event and set a property. Sounds easy – but you need to set it in the right place.
The most popular blog post about this topic is from Vittorio. He advises to set IsSessionMode in WSFederationAuthenticationModule_SessionSecurityTokenCreated.
Now there were some open questions on forum, like this one. So I decided to try it myself – and indeed it didn’t work for me as well. So I digged a little deeper, and after some trial and error I found the right place (in global.asax):
object sender, SecurityTokenValidatedEventArgs e)
FederatedAuthentication.SessionAuthenticationModule.IsSessionMode = true;
Not sure if anything has changed since Vittorio’s post – but this worked for me.
While playing around, I also wrote a little diagnostics tool that allows you to look into the session cookie (for educational purposes). Will post that soon.
I moved my application to .NET framework 4.5 and it looks like this property is not included in the new version of WIF.. So far, my application didn’t experience any problems.
Not sure if this issue is fixed in the new version…
Do you know ?
It works differently in 4.5 – and what issue do you mean?
WIF 1.0 when used with Azure ACS creates large cookies… Safari and Opera browsers don’t support large cookies so they are truncated. As a result of that, the application crashes.
This issue is avoided using Session Mode. When Federated Authentication is used in session mode, the data itself is stored on the server and only an identifier is stored on the client cookie.
But it has been changed in the new version of WIF 4.5.
Do you know how to set the session mode in WIF 4.5?
Pingback: Switching to ReferenceMode in ASP.NET 4.5 | www.leastprivilege.com