Hello,
We have implemented ComponenetSpace SAML2 for use as authentication to a web-based application using ASP.NET.
For users on web farms, we have the option of using the database to store the session data, implementing pretty basic authentication.
Due to a programming oversight we (I) failed to include the ssosessions.DeleteExpired for one version. The documentation states that you can clear records manually and that is easy to implement using our scheduling, but what is an appropriate query? I am not sure what is best practice on how to determine an ‘expired’ session’.
Our application generally only utilizes SAML for authentication and the application may then be open for extended periods(days) without further SAML interaction.
That question also extends to the implementation of sso.DeleteExpired, in that it takes a datetime parameter for expiration.
What is a suitable period?
The SSOSessions table includes an ExpirationDateTime column which is the UTC date/time the session state expires.
Normally session state is considered to have expired if ExpirationDateTime is older than the current date/time.
Taking this approach, the SQL to delete expired rows is as follows:
DELETE FROM SSOSessions WHERE ExpirationDateTime <= GETUTCDATE()
Earlier versions of the DatabaseSSOSessionStore.DeleteExpired API took an expirationDateTime parameter. Session state older than this data/time were deleted.
Later versions of this API don’t take a parameter and use DateTime.UtcNow instead.
If you’re using an older version, I recommend using DateTime.UtcNow for the expirationDateTime parameter value.