|
Home > Archive > Commerce Server General > July 2005 > Sliding Window Authentication
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Sliding Window Authentication
|
|
| Colin Bowern 2005-07-16, 8:46 pm |
| Hi,
I wanted to clarify the documentation's concept of a time window. When an
auth ticket is set to expire in x minutes does that number get reset with
each request the user makes or does it only get renewed when there is 5
minutes or less remaining from when the time window was originally set?
Also, has anyone figured out how to set the profile and/or auth tickets to
expire when the browser session is closed?
Thanks,
Colin
| |
| Colin Bowern 2005-07-17, 5:49 pm |
| Some clarification after more research:
I'm looking to use the profile ticket in either a session or persistent
cookie depending on the user's choice. The driver behind this is privacy
regulations. Can AuthManager's profile ticket type of cookie be configured?
I'm looking to use the authentication ticket in only the session state but
use a sliding window authentication so with each request it renews the
authentication for another x minutes. The default of 90 minutes is a little
long, but going sooner can be an annoyance to the user so I was thinking of
moving it down to 20 minute sliding windows. Any thoughts on how to get
AuthManager's auth ticket do this?
Thanks,
Colin
"Colin Bowern" <colin.bowern@nospam.officialcommunity.com> wrote in message
news:ubabiVniFHA.3288@TK2MSFTNGP09.phx.gbl...
> Hi,
>
> I wanted to clarify the documentation's concept of a time window. When an
> auth ticket is set to expire in x minutes does that number get reset with
> each request the user makes or does it only get renewed when there is 5
> minutes or less remaining from when the time window was originally set?
>
> Also, has anyone figured out how to set the profile and/or auth tickets to
> expire when the browser session is closed?
>
> Thanks,
> Colin
>
| |
| Ravi Shankar 2005-07-18, 2:51 am |
| Hi Colin,
There are two cookies associated with each user session, One holds the
credentials which the other holds the ticket. Both of these are verified at
the start of every page displayed. If you want to reset the time period then
you should be able to acheive the same by issuing a setTicket call everytime
a authentication is made. So the last ticket set would be good to go for the
time period you've selected (20 minutes).
--
Ravi Shankar
"Colin Bowern" wrote:
> Some clarification after more research:
>
> I'm looking to use the profile ticket in either a session or persistent
> cookie depending on the user's choice. The driver behind this is privacy
> regulations. Can AuthManager's profile ticket type of cookie be configured?
>
> I'm looking to use the authentication ticket in only the session state but
> use a sliding window authentication so with each request it renews the
> authentication for another x minutes. The default of 90 minutes is a little
> long, but going sooner can be an annoyance to the user so I was thinking of
> moving it down to 20 minute sliding windows. Any thoughts on how to get
> AuthManager's auth ticket do this?
>
> Thanks,
> Colin
>
>
>
> "Colin Bowern" <colin.bowern@nospam.officialcommunity.com> wrote in message
> news:ubabiVniFHA.3288@TK2MSFTNGP09.phx.gbl...
>
>
>
| |
| Colin Bowern 2005-07-18, 5:51 pm |
| Hey Ravi,
Good idea on calling SetAuthTicket on each call. I've also figured out how
to change a persistent ticket to a session ticket by setting it's Expires to
DateTime.MinValue. I'm working on testing to see if Commerce Server will
play nice with this change.
Cheers,
Colin
"Ravi Shankar" <shankycheil@newsgroup.nospam> wrote in message
news:C4B36C53-6F5A-4E16-AA44-B1FEE4622F16@microsoft.com...[vbcol=seagreen]
> Hi Colin,
>
> There are two cookies associated with each user session, One holds the
> credentials which the other holds the ticket. Both of these are verified
> at
> the start of every page displayed. If you want to reset the time period
> then
> you should be able to acheive the same by issuing a setTicket call
> everytime
> a authentication is made. So the last ticket set would be good to go for
> the
> time period you've selected (20 minutes).
>
> --
> Ravi Shankar
>
>
> "Colin Bowern" wrote:
>
|
|
|
|
|