.net - WIF STS Implementation Checking for Active ASP.NET Login/Session with ADSF Tie-In -


i'm planning implement external-facing asp.net web application along windows communication foundation (wcf) service providing externally available api. provide security web app , service rolling own security token service (sts) using windows identity foundation (wif).

the basics how intend implement described these articles: http://msdn.microsoft.com/en-us/magazine/ee335707.aspx , http://devproconnections.com/development/generating-saml-tokens-wif-part-2

combined information provided vittorio bertocci's excellent book on subject: http://www.amazon.com/programming-windows-identity-foundation-dev/dp/0735627185/ref=sr_1_6?ie=utf8&qid=1366300926&sr=8-6&keywords=vittorio+bertocci

i should have tools , information need accomplish task. use-case application this: user logs asp .net web application own, including user authentication , authorization mechanism. while on application, click link uses saml single-sign-on (sso) third-party application (with whom have tight business relationship with). while on third-party application, user can transparently work files we're storing on yet application internal our organization. basically, transparent/silent saml sso against web app/wcf service either save out or retrieve document while logged third-party web app.

like said before, think have basics how implement authorization , authentication down process.

however, 1 item security team has asked ensure user logged in third-party site out externally-exposed yet totally-owned-by-us originating web application, has active session out site. in short, need ensure user logged site a, using site b, wants access resources on site c ensuring they, in fact, logged site still.

how information regarding user? now, did roll own role provider site a, authentication performed via forms authentication using older username/password mechanism not include using asp .net 2.0 "standard" membership provider. therefor, security.web.membership not available me.

finally, same process apply internal users on our active directory log in our internal network, site b, , work site c again. believe using adfs v2 authentication. tips on ensuring said user active in ad prior authenticating against site c?

the reasonable way track whether web site user still active use tokens short expirations (say, 10 minutes) auto reset each time user navigates around web site. can user active , logged in within past 10 minutes. you'll need track token in persistent store on server updated time of recent user action / token reset back-end systems can ask "is user still active?", , you'll need pass web client can pass server on every subsequent web request keep session alive. session cookie. cookie same token, or set cookie random value maps token internal server if don't want true token known browser app. if user actively logs out of web app, void token in backend database.

other techniques might involve keeping long-running http connection open (ala web based irc chat) consumes lot of network resources particularly on server , firewall , doesn't provide greater assurance user still looking @ web app in browser. session has been open 30 minutes there have been no page navigations in 20 minutes sounds user has gone lunch , left browser window open. if have track page navigation anyway, keeping http connection open doesn't buy anything.


Comments

Post a Comment

Popular posts from this blog

node.js - Bad Request - node js ajax post -

i'm using express 3.0 , node v0.11.0. have button submits form , i'm using ajax post data json object node server. client code is: $('#contact').submit(function(e) { console.log('submit called'); var formdata = json.stringify($('form').serializeobject()); console.log(formdata); $.ajax({ url: "http://localhost:3000/savedata/", type: "post", datatype: 'json', data: {objectdata: formdata}, contenttype: "application/json", complete: function() { console.log('process complete'); }, success: function(data) { console.log('process sucess'); }, error: function() { console.log('process error'); }, }); return false; }); then on server: var express = require('express'); var app = express(); app.set('views', __dirname + '/views'); app.set('view engine', 'jade'); app.use(express.bodyparser());...
Read more

Why does Ruby on Rails generate add a blank line to the end of a file? -

running rails generate controller foo home results in: class foocontroller < application controller def home end end (there's nothing on line in actual file, blank line) is there purpose blank line? it's common use newline indicate end of line, last line. many editors (like vi, use) add in newline silently. consensus text files (especially in unix world) should end in newline, , there have been problems historically if wasn't present. why should text files end newline? the tool used count lines in file "wc" counts newlines in file, without trailing newline show 3 instead of 4. it improves readability of templates used in generator. consider: https://github.com/rails/rails/blob/master/railties/lib/rails/generators/rails/controller/templates/controller.rb to remove trailing newline, template have last line of: end<% end -%> instead of: end <% end -%> that seems less readable me. the discussion below refers ...
Read more

keyboard - Smiles and long press feature in Android -

i've created android keyboard. how add features inserting smilies, , using long keypresses display symbols? to create long-press behavior allows select several options pop-up menu, follow guide (specifically pop-up menu section): http://developer.android.com/guide/topics/ui/menus.html smileys (also known emoticons) combination of keys, understood programs , parsed same way. have do, when clicks smiley face on keyboard, simulate pressing of key combination matching emoticon. example, when clicks smiley, should simulate key presses ':' , ')' :). here's list of emoticons: http://en.wikipedia.org/wiki/list_of_emoticons
Read more