Best practices for Authentication

To benefit most of the authentication improvements, you should configure authentication settings properly. All of the steps below are optional, but we recommend to verify whether the default settings fit your environment needs.

• Turn on SSL/TLS on your site.
  Although Sitefinity CMS works on HTTP, we recommend to use HTTPS for your site.
  For more information, see Administration: Configure SSL.
• Configure the Identity server signing  certificate.
  This certificate is used to verify the issuer of the authentication token.
  For more information, see Authentication flow and certificates
• Configure expiration of the cookies and session stores. 
  Depending on the needs of your site you may change the default duration of the cookies.
  For more information, see Administration: Configure authentication expiration.
  You may use absolute expiration instead of the default sliding one. 
  • Absolute expiration
    Pros: Fixed window for an attack to abuse the site, if a sensitive information is stolen. SSL/TLS provides a protection from MITM attack. 
    Cons: If the absolute duration is small, it will require frequent re-authentication, which may be inconvenient. 
  • Sliding expiration (default)
    Pros: Convenient. You may configure relatively small time interval and, if the site is used actively, it will refresh automatically the cookies and extend the session. 
• Configure external authentication providers.
  For more information, see Administration: Configure external identity providers.