locked
How long will my user be authenticated? RRS feed

  • Question

  • User390177474 posted

    Hello. I am authentication my users with OpenIDConnect Owin, Azure AD microsoft login.

    I would like to know how long Request.IsAuthenticated with Owin Middleware will return true after a user has logged in with Microsoft.

    Is this linked to the expiration time of the ID-token? If so, can I change the expiration time somehow?

    Wednesday, June 24, 2020 1:46 PM

Answers

  • User475983607 posted

    It is typical for a remote authentication server to set a cookie as well.  When the site authentication cookie expires, the browser is redirected to the remote authentication server.  The remote server finds the cookie it set when the use logged in and redirect back to your site.

    This would be a configuration setting on Azure AD. From the docs...https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes

    Azure AD uses two kinds of SSO session tokens: persistent and nonpersistent. Persistent session tokens are stored as persistent cookies by the browser. Nonpersistent session tokens are stored as session cookies. (Session cookies are destroyed when the browser is closed.) Usually, a nonpersistent session token is stored. But, when the user selects the Keep me signed in check box during authentication, a persistent session token is stored.

    Nonpersistent session tokens have a lifetime of 24 hours. Persistent tokens have a lifetime of 90 days. Anytime an SSO session token is used within its validity period, the validity period is extended another 24 hours or 90 days, depending on the token type. If an SSO session token is not used within its validity period, it is considered expired and is no longer accepted.

    You can use a policy to set the time after the first session token was issued beyond which the session token is no longer accepted. (To do this, use the Session Token Max Age property.) You can adjust the lifetime of a session token to control when and how often a user is required to reenter credentials, instead of being silently authenticated, when using a web application.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, June 24, 2020 3:24 PM
  • User1535942433 posted

    Hi william12512512,

    So just to see if I understand correctly. If I log in to my application, without closing my browser for 24 hours. Then after 24 hours refresh my site, and my code checks Request.IsAuthenticated, it will return false?

    As far as I think,your think is right.When the site authentication cookie expires, the browser is redirected to the remote authentication server. 

    Best regards,

    Yijing Sun

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, June 26, 2020 7:11 AM

All replies

  • User475983607 posted

    Once the user authenticates with the authentication server, the browser is redirected back to your site.  Your configuration sets the authentication cookie timeout and from that point on your site, not Azure AD, validates the authentication cookie.

    Your login logic determines if the cookie persists or expires when the browser closes.  You can can configure a sliding expiration and the ExpiretimeSpan setting in your OWIN startup configuration.

    General configuration with example code.

    https://docs.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-asp-webapp

    Cookie options which includes the ExpiretimeSpan setting.

    https://docs.microsoft.com/en-us/previous-versions/aspnet/dn385599(v%3Dvs.113)

    https://docs.microsoft.com/en-us/previous-versions/aspnet/mt152258%28v%3dvs.113%29

    https://forums.asp.net/t/2119940.aspx?What+is+default+timeout+value+for+CookieAuthenticationOptions+in+asp+net+core+MVC

    Wednesday, June 24, 2020 2:14 PM
  • User390177474 posted

    Once the user authenticates with the authentication server, the browser is redirected back to your site.  Your configuration sets the authentication cookie timeout and from that point on your site, not Azure AD, validates the authentication cookie.

    Your login logic determines if the cookie persists or expires when the browser closes.  You can can configure a sliding expiration and the ExpiretimeSpan setting in your OWIN startup configuration.

    General configuration with example code.

    https://docs.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-asp-webapp

    Cookie options which includes the ExpiretimeSpan setting.

    https://docs.microsoft.com/en-us/previous-versions/aspnet/dn385599(v%3Dvs.113)

    https://docs.microsoft.com/en-us/previous-versions/aspnet/mt152258%28v%3dvs.113%29

    https://forums.asp.net/t/2119940.aspx?What+is+default+timeout+value+for+CookieAuthenticationOptions+in+asp+net+core+MVC

    Thank you. When I try to add 

    app.UseCookieAuthentication(new CookieAuthenticationOptions() {
                   ExpireTimeSpan = TimeSpan.FromSeconds(5),
           });


    to my Startup.cs above my 

    app.UseOpenIdConnectAuthentication(
    

    I try to login with microsoft. Then try refreshing my site after 5 seconds. It still keeps me authenticated however. Request.IsAuthenticated() keeps returning true.

    Wednesday, June 24, 2020 3:11 PM
  • User475983607 posted

    It is typical for a remote authentication server to set a cookie as well.  When the site authentication cookie expires, the browser is redirected to the remote authentication server.  The remote server finds the cookie it set when the use logged in and redirect back to your site.

    This would be a configuration setting on Azure AD. From the docs...https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes

    Azure AD uses two kinds of SSO session tokens: persistent and nonpersistent. Persistent session tokens are stored as persistent cookies by the browser. Nonpersistent session tokens are stored as session cookies. (Session cookies are destroyed when the browser is closed.) Usually, a nonpersistent session token is stored. But, when the user selects the Keep me signed in check box during authentication, a persistent session token is stored.

    Nonpersistent session tokens have a lifetime of 24 hours. Persistent tokens have a lifetime of 90 days. Anytime an SSO session token is used within its validity period, the validity period is extended another 24 hours or 90 days, depending on the token type. If an SSO session token is not used within its validity period, it is considered expired and is no longer accepted.

    You can use a policy to set the time after the first session token was issued beyond which the session token is no longer accepted. (To do this, use the Session Token Max Age property.) You can adjust the lifetime of a session token to control when and how often a user is required to reenter credentials, instead of being silently authenticated, when using a web application.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, June 24, 2020 3:24 PM
  • User390177474 posted

    It is typical for a remote authentication server to set a cookie as well.  When the site authentication cookie expires, the browser is redirected to the remote authentication server.  The remote server finds the cookie it set when the use logged in and redirect back to your site.

    This would be a configuration setting on Azure AD. From the docs...https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes

    Azure AD uses two kinds of SSO session tokens: persistent and nonpersistent. Persistent session tokens are stored as persistent cookies by the browser. Nonpersistent session tokens are stored as session cookies. (Session cookies are destroyed when the browser is closed.) Usually, a nonpersistent session token is stored. But, when the user selects the Keep me signed in check box during authentication, a persistent session token is stored.

    Nonpersistent session tokens have a lifetime of 24 hours. Persistent tokens have a lifetime of 90 days. Anytime an SSO session token is used within its validity period, the validity period is extended another 24 hours or 90 days, depending on the token type. If an SSO session token is not used within its validity period, it is considered expired and is no longer accepted.

    You can use a policy to set the time after the first session token was issued beyond which the session token is no longer accepted. (To do this, use the Session Token Max Age property.) You can adjust the lifetime of a session token to control when and how often a user is required to reenter credentials, instead of being silently authenticated, when using a web application.

    Thank you. That makes sense. 

    So just to see if I understand correctly. If I log in to my application, without closing my browser for 24 hours. Then after 24 hours refresh my site, and my code checks Request.IsAuthenticated, it will return false?

    Because right now, it doesn't seem to save IsAuthenticated, just skips the Microsoft login process when I click my "Login with Microsoft" button.

    Thursday, June 25, 2020 8:57 AM
  • User1535942433 posted

    Hi william12512512,

    So just to see if I understand correctly. If I log in to my application, without closing my browser for 24 hours. Then after 24 hours refresh my site, and my code checks Request.IsAuthenticated, it will return false?

    As far as I think,your think is right.When the site authentication cookie expires, the browser is redirected to the remote authentication server. 

    Best regards,

    Yijing Sun

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, June 26, 2020 7:11 AM