ComponentSpace

Forums



Question on using database for session data


Question on using database for session data

Author
Message
lcryderman
lcryderman
New Member
New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)

Group: Forum Members
Posts: 8, Visits: 29
We're considering storing session data in our database, I have a few questions.
Based on the Developer Guide, we create table [dbo].[SSOSessions].
At app start up we do: SAMLController.SSOSessionStore = new DatabaseSSOSessionStore()

What is not clear is there anything else we have to do, such as write queries... ?

Also, do we have to use DatabaseIDCache ? (not clear on what identifiers is....)
Lastly, do we need the 'SAML' connection string, or can we use an existing connection string.

Thank you


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
The DatabaseSSOSessionStore includes all the code necessary to query and update the database table. There shouldn't be anything else you need to do apart from create the SSOSessions table and specify the connection string.

The DatabaseIDCache is only required if acting as the service provider. It supports the detection of SAML assertion replay attacks. The identifiers are the unique SAML assertion IDs.

By default, DatabaseSSOSessionStore expects the connection string name to be SAML.

However, there are various constructor overloads that allow you to specify a different connection string name etc.

For example:

SAMLController.SSOSessionStore = new DatabaseSSOSessionStore("connection string name goes here");

Regards
ComponentSpace Development
lcryderman
lcryderman
New Member
New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)

Group: Forum Members
Posts: 8, Visits: 29
ComponentSpace - 7/28/2022
The DatabaseSSOSessionStore includes all the code necessary to query and update the database table. There shouldn't be anything else you need to do apart from create the SSOSessions table and specify the connection string.

The DatabaseIDCache is only required if acting as the service provider. It supports the detection of SAML assertion replay attacks. The identifiers are the unique SAML assertion IDs.

By default, DatabaseSSOSessionStore expects the connection string name to be SAML.

However, there are various constructor overloads that allow you to specify a different connection string name etc.

For example:

SAMLController.SSOSessionStore = new DatabaseSSOSessionStore("connection string name goes here");

Our connection strings are encrypted, the 'out of box' code is not handling this and we can't use. Looking into creating a custom class inheriting AbstractDatabaseSSOSessionStore. Are there any samples or examples how to do this? Our code just needs to perform custom database connection (we're a SQL Server .Net shop). Any assistance you can provide is greatly appreciated.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
How are the connection strings encrypted?

If you use the standard ASPNET_REGIIS to perform the encryption, IIS will automatically decrypt the connection string and therefore no code changes are required.

https://techcommunity.microsoft.com/t5/iis-support-blog/connection-string-encryption-and-decryption/ba-p/830094

If you're using some other mechanism or need something else supported in the DatabaseSSOSessionStore, please let us know. It might make more sense for us to add this support.

Alternatively, you can extend the AbstractDatabaseSSOSessionStore. I'm afraid we don't have any examples of this but let me know if you have any specific questions.



Regards
ComponentSpace Development
lcryderman
lcryderman
New Member
New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)

Group: Forum Members
Posts: 8, Visits: 29
ComponentSpace - 8/3/2022
How are the connection strings encrypted?

If you use the standard ASPNET_REGIIS to perform the encryption, IIS will automatically decrypt the connection string and therefore no code changes are required.

https://techcommunity.microsoft.com/t5/iis-support-blog/connection-string-encryption-and-decryption/ba-p/830094

If you're using some other mechanism or need something else supported in the DatabaseSSOSessionStore, please let us know. It might make more sense for us to add this support.

Alternatively, you can extend the AbstractDatabaseSSOSessionStore. I'm afraid we don't have any examples of this but let me know if you have any specific questions.


We use a custom encryption method in the connection string.
If we were to extend AbstractDatabaseSSOSessionStore, we'd need guidance on completing the below class. Simple pseudo code would do, we'd complete the code.

Sample class:
Public Class GSIDatabaseSSOSessionStore
  Inherits AbstractDatabaseSSOSessionStore

  Public Overrides Sub Save(ssoSession As Object)
   ' how to delete ?
  End Sub

  Public Overrides Sub Delete(type As Type)
   ' how to delete ?
  End Sub

  Public Overrides Function Load(type As Type) As Object
   ' how to load the return Object ?
  End Function
  Public Overloads Function DeleteExpired(expirationDateTime As Date) As Integer
   ' is the below pseudo code correct?
   ' delete SSOSessions where UpdateDateTime < expirationDateTime ?
   ' delete SAMLIdentifiers where ExpirationDateTime < expirationDateTime ?
  End Function
  Public Overloads Function Delete(sessionID As String) As Integer
   ' is the below pseudo code correct?
   ' delete SAMLIdentifiers where ID = sessionID ?
  End Function

End Class

Appreciate your assistance.
lcryderman
lcryderman
New Member
New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)

Group: Forum Members
Posts: 8, Visits: 29
lcryderman - 8/4/2022
ComponentSpace - 8/3/2022
How are the connection strings encrypted?

If you use the standard ASPNET_REGIIS to perform the encryption, IIS will automatically decrypt the connection string and therefore no code changes are required.

https://techcommunity.microsoft.com/t5/iis-support-blog/connection-string-encryption-and-decryption/ba-p/830094

If you're using some other mechanism or need something else supported in the DatabaseSSOSessionStore, please let us know. It might make more sense for us to add this support.

Alternatively, you can extend the AbstractDatabaseSSOSessionStore. I'm afraid we don't have any examples of this but let me know if you have any specific questions.


We use a custom encryption method in the connection string.
If we were to extend AbstractDatabaseSSOSessionStore, we'd need guidance on completing the below class. Simple pseudo code would do, we'd complete the code.

Sample class:
Public Class GSIDatabaseSSOSessionStore
  Inherits AbstractDatabaseSSOSessionStore

  Public Overrides Sub Save(ssoSession As Object)
   ' how to delete ?
  End Sub

  Public Overrides Sub Delete(type As Type)
   ' how to delete ?
  End Sub

  Public Overrides Function Load(type As Type) As Object
   ' how to load the return Object ?
  End Function
  Public Overloads Function DeleteExpired(expirationDateTime As Date) As Integer
   ' is the below pseudo code correct?
   ' delete SSOSessions where UpdateDateTime < expirationDateTime ?
   ' delete SAMLIdentifiers where ExpirationDateTime < expirationDateTime ?
  End Function
  Public Overloads Function Delete(sessionID As String) As Integer
   ' is the below pseudo code correct?
   ' delete SAMLIdentifiers where ID = sessionID ?
  End Function

End Class

Appreciate your assistance.

Made a type-o, correction:
Public Overrides Sub Save(ssoSession As Object)
   ' how to save ?
  End Sub

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
If you have a custom encryption method for the connection string, would this affect the SQL used in the Load, Save etc methods?

I would have thought it would have been your constructor which would handle the decryption.

If that's the case, we could change AbstractDatabaseSSOSessionStore so it exposes the connectionString property it uses internally.

Your constructor would decrypt the connection string and set its value in this connectionString property so it can be used by the Load, Save etc methods in AbstractDatabaseSSOSessionStore.

Would that work for you?

Regards
ComponentSpace Development
lcryderman
lcryderman
New Member
New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)

Group: Forum Members
Posts: 8, Visits: 29
ComponentSpace - 8/4/2022
If you have a custom encryption method for the connection string, would this affect the SQL used in the Load, Save etc methods?

I would have thought it would have been your constructor which would handle the decryption.

If that's the case, we could change AbstractDatabaseSSOSessionStore so it exposes the connectionString property it uses internally.

Your constructor would decrypt the connection string and set its value in this connectionString property so it can be used by the Load, Save etc methods in AbstractDatabaseSSOSessionStore.

Would that work for you?

We've opted to create a new database user account with access to only the two tables required. Thank you for your assistance.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
You're welcome. Thanks for the update.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search