Today’s post is about a common issue faced by many Web developers when they build an MVC Web application that uses ADFS as its authentication mechanism. The problem lies that sessions might be abandoned by IIS when their time is up, but the MVC application might not even be aware of this fact, therefore, by requesting the same page or navigating to another page IIS will re-create a session but this might represent a security flaw or risk because users are not being redirected to the login page to re-enter their credentials.
ASP.NET and all its features (Web Forms or MVC) are tightly coupled to IIS, and in most cases and before this “Federation” era we are currently in, this was taken care of by leveraging “Form-based Authentication” (FBA), but as I’ve previously mentioned there is a new player in this picture, and that is ADFS.
ADFS (stands for Active Directory Federation Services) and it’s a software component developed by Microsoft that can be installed on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. ADFS uses and relies on claims-based access (CBA) to enforce and maintain application security.
By implementing ADFS, the standard ASP.NET FBA is ignored by delegating its task to ADFS. Everything else remains the same, like session management in this case we’re assuming it is “InProc”.
The security issue arises when session times out but users are never prompted to re-enter their credentials, in order to make this solution work we must then store a tiny value in a session variable. Remember, MVC shares a lot of functionality with Web Forms and even when storing information in the Session object might cause more problems than resolving issues, it’s always a good practice avoid storing much information in it (regardless of whether it’s a Web Form or MVC application).
We just store a very simple value to the recently created session – Expiration time.
ASP.NET MVC provides a flexible yet powerful mechanism that allows developers to decorate their controllers and the actions they can do. By implementing this custom action filter, and decorating the “BaseController” or any controller we can ensure that it’ll be executed before any method within the controller.
In order to wire-up our custom action filter, we must register it by adding it to the GlobalFilterCollection, otherwise it won’t run.
And that’s pretty much it. If session times out and user tries to refresh the page or go to any other page is taken back to the ADFS logon page so they can re-enter their credentials. We could have also made something fancier by adding client side code and accomplish the same thing using AJAX, but it’s not the intent or scope of this post.