As a follow up to this post – things have changed a little bit in .NET 4.5. SessionMode is now called ReferenceMode (which is less confusing), and mechanics are slightly different now.
When creating session security tokens manually, you can set the IsReferenceMode property:
var sessionToken = new SessionSecurityToken(principal, TimeSpan.FromHours(8))
{
IsReferenceMode = true // cache on server
};
..and when using the WS-Federation authentication module, you use this technique:
void WSFederationAuthenticationModule_SessionSecurityTokenCreated
(object sender, SessionSecurityTokenCreatedEventArgs e)
{
e.SessionToken.IsReferenceMode = true;
}
HTH
Filed under: ASP.NET, IdentityModel
