Skip to content

Configuring machine key protection of session tokens in WIF and Thinktecture IdentityModel

February 18, 2013

Session tokens in WIF, by default, are protected with DPAPI which auto-generates a key that is specific to the machine. This means, by default, that session tokens won’t work in a web farm. Session tokens can be configured to use the ASP.NET <machineKey> for protection instead. This is achieved by using the MachineKeySessionSecurityTokenHandler as the session security token handler configured in web.config:

<system.identityModel>
  <identityConfiguration>

    <securityTokenHandlers>
      <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler,
                    System.IdentityModel, Version=4.0.0.0, Culture=neutral,
                    PublicKeyToken=B77A5C561934E089" />

      <add
        type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler,
              System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral,
              PublicKeyToken=B77A5C561934E089">
        <sessionTokenRequirement lifetime="00:30:00"></sessionTokenRequirement>
      </add>
    </securityTokenHandlers>

  </identityConfiguration>
</system.identityModel>

Notice this is configured similarly as described here when setting the session security token duration. Also notice that the MachineKeySessionSecurityTokenHandler supports the same configuration with the <sessionTokenRequirement> element and lifetime attribute.

Just as with the normal session security token handler, in Thinktecture IdentityModel a ConfigureMackineKeyProtectionForSessionTokens API was developed to allow this configuration be performed in code from Application_Start in global.asax:

protected void Application_Start()
{
    PassiveSessionConfiguration.ConfigureMackineKeyProtectionForSessionTokens();
}

This API will trigger the use of the machine key session security token handler and it will use the same session token lifetime as configured with the ConfigureDefaultSessionDuration API described here.

7 Comments leave one →
  1. kabir mehta permalink
    August 22, 2013 10:38 am

    Fantastic. Just added PassiveSessionConfiguration.ConfigureMackineKeyProtectionForSessionTokens(); with isRefernceMode = true. Just to clarify, with this single configuration line in App_Start, server side cached token should work with a web farm right? If I understand correctly, this configuration changes the specified machine key to the asp.net application key – which is the same on all machines in a farm. Is that right? Thanks.

  2. August 22, 2013 10:59 am

    IsReferenceMode means the cookie does not contain the claims and instead the claims are cached on the server. By default that cache is in-memory so it will be a problem on a web farm. You will also need to configure a shared cache, like this: https://brockallen.com/2013/02/21/server-side-session-token-caching-in-wif-and-thinktecture-identitymodel/

  3. Steven permalink
    May 12, 2014 1:55 pm

    Is there a similar setup for WIF 4.0?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: