When using WIF, the client is able to set the persistentCookiesOnPassiveRedirects which by default is false. Here is the provided definition:
persistentCookiesOnPassiveRedirects: Specifies whether persistent
cookies are issued when the module is enabled to initiate
WS-Federation passive protocol redirects. A persistent cookie will
outlast user sessions.
OK that sounds clear, but I still do not get it and changing the value between true/fasle does not seem to make any difference. Does it have anything to do about pulling up another site in a separate browser that trusts the same STS provider and making it so the user does not have to log in again?
I suppose an example of a site and STS working together would be really helpful to explain exactly what this setting does. Thanks!
It means that the FedAuth cookies issued by WIF will be persistent (as opposed to tied to a user session). If you close the browser and open it again, the cookies will still be sent to your site and token negotiation will not happen (you will not be redirected to the STS).
If it is false, each time you close the browser and open it again the negotiation will be triggered, because there’s no token anymore. (Cookies is where WIF stores the information of the security token).
Notice that the STS itself will also issue cookies (different from your app) and those might be persistent, so the actual authentication might not happen the second time even if you set the flag to false.
Notice also that WIF can optionally store the information it needs somewhere else (server side).
Last but not least, the token might expire, in that case the negotiation will be triggered regardless of the flag.