问题
We have a site which relies on federated authentication using Active Directory Federation Services (ADFS) and WSFederationAuthenticationModule.
The site also employs a set of XHR requests fired upon user interaction. One particular example is a drop-down menu which allows the user to impersonate other users. Another one is the faceting functionality on a site-wide search page.
The problem is that the session expires when a user stays inactive on a page for certain amount of time. In normal HTTP requests when user clicks on a link, for example, this is not a problem. Upon session expiration the user is redirected to the STS and promptly back again without the user ever noticing - it's happens quickly enough.
But XHR requests fail. The actual error message in the console is:
XMLHttpRequest cannot load https://adfs.contoso.com/adfs/ls/...
No 'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'https://www.example.com' is therefore not allowed access.
It seems that the XHR request cannot redirect to the STS and subsequently back to the relying party like it happens with a regular HTTP request as this causes a CORS problem.
This naturally breaks all elements on the page relying on particular javascript. The only way for the user to work around this is to refresh the page when the problem occurs.
What would be the correct way to solve this?
回答1:
Add this to the web config in the ADFS ls folder, or the corresponding on the ADFS Proxy if you are using one.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
ref: http://enable-cors.org/server_iis7.html
回答2:
The only solution that worked for me, was the one provided by Pinpont in this answer : https://stackoverflow.com/a/28631956/6299975
That is what I did to implement sliding expiration.
app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
SlidingExpiration = false
});
app.UseWsFederationAuthentication(
new WsFederationAuthenticationOptions
{
MetadataAddress = xxxxxxx,
Wtrealm = xxxxxx,
UseTokenLifetime = false,
}
);
SlidingExpiration = false in CookieAuthenticationOptions
UseTokenLifetime = false in WsFederationAuthenticationOptions
来源:https://stackoverflow.com/questions/26609768/xhr-requests-fail-when-an-adfs-authenticated-session-expires