6

When creating a Security Token Service (STS) for a claims based security model, it seems appropriate that tokens are generated in such a way that they expire after some duration, as suggested here. Around this concept, I have a few specific questions, but am looking for any feedback regarding best practices in this area.

  • What are recommended values for the timeout length and/or what should be taken into consideration when determining this?
  • If a user is active for longer than the typical expiration period, how should this be handled such that the user is no required to re-authenticate in the middle of their session?
  • Is there an elegant way to design a service to perform batch actions "on behalf of" another user by utilizing the token? i.e. Utilizing the token at a later time may have caused it to expire.
Joe
  • 283

1 Answers1

1

  1. I normally see 2-9 hours. 9 gives you the work day.

  2. If the token has expired, they need to reauthenticate. End of story.

  3. Depends on how the system works. Do you need the entire context or can you fake it? If the system can just say "I am system, but on behalf of Jimmy" within your app then it's easy. If you actually need Jimmy's token to perform the operation then you are stuck.

Travis
  • 1,329
  • 6
  • 14