Configuring machine key protection of session tokens in WIF and Thinktecture IdentityModel

February 18, 2013

Session tokens in WIF, by default, are protected with DPAPI which auto-generates a key that is specific to the machine. This means, by default, that session tokens won’t work in a web farm. Session tokens can be configured to use the ASP.NET <machineKey> for protection instead. This is achieved by using the MachineKeySessionSecurityTokenHandler as the session security token handler configured in web.config:

<system.identityModel>
  <identityConfiguration>

    <securityTokenHandlers>
      <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler,
                    System.IdentityModel, Version=4.0.0.0, Culture=neutral,
                    PublicKeyToken=B77A5C561934E089" />

      <add
        type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler,
              System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral,
              PublicKeyToken=B77A5C561934E089">
        <sessionTokenRequirement lifetime="00:30:00"></sessionTokenRequirement>
      </add>
    </securityTokenHandlers>

  </identityConfiguration>
</system.identityModel>

Notice this is configured similarly as described here when setting the session security token duration. Also notice that the MachineKeySessionSecurityTokenHandler supports the same configuration with the <sessionTokenRequirement> element and lifetime attribute.

Just as with the normal session security token handler, in Thinktecture IdentityModel a ConfigureMackineKeyProtectionForSessionTokens API was developed to allow this configuration be performed in code from Application_Start in global.asax:

protected void Application_Start()
{
    PassiveSessionConfiguration.ConfigureMackineKeyProtectionForSessionTokens();
}

This API will trigger the use of the machine key session security token handler and it will use the same session token lifetime as configured with the ConfigureDefaultSessionDuration API described here.

7 Comments leave one →

kabir mehta permalink

August 22, 2013 10:38 am

Fantastic. Just added PassiveSessionConfiguration.ConfigureMackineKeyProtectionForSessionTokens(); with isRefernceMode = true. Just to clarify, with this single configuration line in App_Start, server side cached token should work with a web farm right? If I understand correctly, this configuration changes the specified machine key to the asp.net application key – which is the same on all machines in a farm. Is that right? Thanks.

Reply
brockallen permalink*

August 22, 2013 10:59 am

IsReferenceMode means the cookie does not contain the claims and instead the claims are cached on the server. By default that cache is in-memory so it will be a problem on a web farm. You will also need to configure a shared cache, like this: https://brockallen.com/2013/02/21/server-side-session-token-caching-in-wif-and-thinktecture-identitymodel/

Reply
Steven permalink

May 12, 2014 1:55 pm

Is there a similar setup for WIF 4.0?

Reply
- brockallen permalink*
  
  May 12, 2014 8:37 pm
  
  Yes, there’s an IdentityModel project for 4.0:
  
  https://github.com/thinktecture/Thinktecture.IdentityModel.40
  
  And it’s also up on NuGet.
  
  Reply
  - Steven permalink
    
    May 21, 2014 6:03 pm
    
    Thanks! I was wondering about the machine key setup for 4.0. it seems I’ll need to use a object instead, correct?
    
    Reply
  - Steven permalink
    
    May 22, 2014 4:30 pm
    
    It did not like me putting code in there, sorry. I cannot find a setup for Microsoft.Identity model.
    
    Reply
    - brockallen permalink*
      
      May 22, 2014 6:02 pm
      
      Check the WIF 3.5 docs on MSDN.
      
      Reply