zimdanen zimdanen - 9 months ago 76
Ajax Question

ADFS session expires and causes error

We use ADFS for our internal applications - users are basically logged in transparently anytime they go to one of our apps. However, if a user leaves a page open for over an hour then tries to do something on that page (other than navigate to another page), they get an error:

This page is accessing information that is not under its control. This poses a security risk. Do you want to continue?

It seems like the page is trying to redirect that request to the ADFS server and that is being prevented by the browser.

My question is thus: How do I catch this situation and get the user to the ADFS server to reauthenticate?

I haven't had any luck finding anything on Google regarding this.


You can inspect and re-issue security tokens manually in global.asax, and use this to create sliding sessions. With sliding sessions, you can choose to postpone the re-authentication until it becomes "safe" to do so (when data will no longer be lost due to the ADFS redirect).

Inside the SessionSecurityTokenReceived event, you can evaluate the token and the request. If the token has expired and the request is one that will experience data loss from a redirect, you can re-issue a new "temporary" token. The new token should have a very short life, just long enough so you can safely complete the current request. The token will then expire and be evaluated again on the next request.

protected void SessionAuthenticationModule_SessionSecurityTokenReceived(object sender, SessionSecurityTokenReceivedEventArgs e)
    var now = DateTime.UtcNow;
    SessionSecurityToken token = e.SessionToken;
    var httpContext = new HttpContextWrapper(this.Context);

   if (now > token.ValidTo
       && (httpContext.Request.IsAjaxRequest() || httpContext.Request.HttpMethod == "POST"))
       var sessionAuthModule = (SessionAuthenticationModule)sender;
       e.SessionToken = sessionAuthModule.CreateSessionSecurityToken(token.ClaimsPrincipal,
       e.ReissueCookie = true;

The ADFS session will continue to postpone reauthentication until the next GET request. Then the redirect will finally occur, and the user will be issued a proper token of normal lifespan.