.net 4.5 - What is an appropriate strategy for refreshing claims in a passive scenario? -
i have .net 4.5 claims-aware application hosted in windows azure. there web role hosts mvc site , worker role runs jobs in background. users can choose remain permanently logged in.
here code claimsauthenticationmanager:
public claimsprincipal login(string username, bool rememberme = false) { claimsprincipal principal = authenticate(null, principalfactory.createformsprincipal(username)); setsessioncookie(principal, rememberme ? timespan.maxvalue : timespan.fromdays(1)); return principal; } public override claimsprincipal authenticate(string resourcename, claimsprincipal incomingprincipal) { if (!incomingprincipal.identity.isauthenticated) { return base.authenticate(resourcename, incomingprincipal); } return principalfactory.create(incomingprincipal.identity.name, incomingprincipal.identity.authenticationtype); } private static void setsessioncookie(claimsprincipal principal, timespan lifetime) { var sessionsecuritytoken = new sessionsecuritytoken(principal, lifetime) { isreferencemode = true }; federatedauthentication.sessionauthenticationmodule.writesessiontokentocookie(sessionsecuritytoken); }
in simple refresh case user performs action (e.g., purchases/cancels subscription) on site, can done by:
- issuing new token , re-writing cookie or
- logging user out (deleting cookie) , having them re-authenticate
what need guidance on how/when refresh user's claims when change result of non-user-originated event.
imagine following scenarios:
a user specifices "remember me" , logs in successfully. has cookie never expires. purchases subscription via site. claims refreshed via option #1 above. 1 month later, subscription lapses because chose not renew. cookie still valid , claims associated subscription still active.
a new user creates account , logs in specifying "remember me". has cookie never expires includes claim granting free 1 week trial of special functionality. 1 week later, background job (executing via worker role) removes record of free trial in underlying data store. however, user's cookie still has free trial claim.
in both scenarios, if user logged out , in on own, problem solve itself. but, if user takes no specific action log out, cookie contains invalid claims.
how handle cases these?
as i've been composing question, occurred me logical thing set cookie's expiration date intended lifetime of shortest-lived claim in claims collection.
is there better or different strategy?
any guidance appreciated.
thanks.
for reference, have read following posts on related topics:
Comments
Post a Comment