When using the session facility in WIF (e.g. in ASP.NET with the SessionAuthenticationModule), the session token must be protected somehow. By default WIF uses the Windows built-in DPAPI mechanism.
While DPAPI is easy to use in single-server scenarios it has some shortcomings:
- DPAPI requires the IIS user profile to be loaded. This can be a problem when you don’t have admin access to IIS (e.g. in hosted scenarios like Azure Web Sites [here]).
- DPAPI only works for non load-balanced scenarios since the DPAPI key is machine specific.
One workaround was to provide a different implementation of the protection pipeline, e.g. using X.509 certificates. This wasn’t horribly hard to do but requires some custom code and setup.
In .NET 4.5 there’s a new out-of-the-box protection mechanism using the ASP.NET machine key which may be exactly the right option (for certain scenarios). But since most of you are not running .NET 4.5 – I quickly wrote an implementation of that token handler for .NET 4.0 and made it available as part of Thinktecture.IdentityModel.
To replace the built-in session token handler with the machine key based one, do this:
- Make sure your machine keys are synced when using a web farm.
- Download Thinktecture.IdentityModel (either as source code from github, or using Nuget).
- Replace the session handler in WIF config:
Microsoft.IdentityModel, Version=18.104.22.168, Culture=neutral, PublicKeyToken=31bf3856ad364e35“ />
<add type=“Thinktecture.IdentityModel.Web.MachineKeySessionSecurityTokenHandler, Thinktecture.IdentityModel“ />