locked
How to set UseCookieAuthentication to expire when session expires RRS feed

  • Question

  • User-1188570427 posted

    I need my UseCookieAuthentication to expire after 15 minutes if there is no activity.

    The cookie is <g class="gr_ gr_20 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling" id="20" data-gr-id="20">setting</g> the time properly after I log in via Chrome.

    The issue is this: The time keep sliding even though I am NOT doing anything on my page or with my website.

    What else might cause the time to slide even though I'm not doing anything?

    If I set <g class="gr_ gr_19 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="19" data-gr-id="19">isPersistant</g>, does that automatically make it slide no matter what?

    app.UseCookieAuthentication(new CookieAuthenticationOptions
    {
    AuthenticationType = defaultAuth,
    LoginPath = logInPath,
    CookieName = MiddlewareConstants.Cookie,
    CookieSecure = CookieSecureOption.Always,
    SlidingExpiration = true,
    ExpireTimeSpan = TimeSpan.FromMinutes(sessionTimeout)
    });

    If <g class="gr_ gr_18 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="18" data-gr-id="18">isPersistent</g> is TRUE, is that what is causing this?

                  await SignInAsync(user, true, false);

    Is the cookie working off the session time out setting at all?

    I've tried to change isPersitent to FALSE, but then the Expire time is not set in Chrome and it shows as N/A

    Thanks. 

    Friday, April 12, 2019 12:57 AM

All replies

  • User753101303 posted

    Hi,

    Do you have Ajax calls on your page ? A persistent cookie is kept when the navigator is closed (if not it won't survive closing the browser).

    It seems you are ttrying to sync the "browser session" and the "authentication session". Which problem are you trying to solve ?

    Friday, April 12, 2019 7:38 AM
  • User-1188570427 posted

    PatriceSc

    Hi,

    Do you have Ajax calls on your page ? A persistent cookie is kept when the navigator is closed (if not it won't survive closing the browser).

    It seems you are trying to sync the "browser session" and the "authentication session". Which problem are you trying to solve ?

    Yes, I believe we have things going on in the background every 30 seconds.

    I thought the "browser session" and the "authentication session" are the same? Or I want to the operate the same.

    Friday, April 12, 2019 1:23 PM
  • User475983607 posted

    Yes, I believe we have things going on in the background every 30 seconds.

    I thought the "browser session" and the "authentication session" are the same? Or I want to the operate the same.

    Session and Authentication are separate ASP.NET features.  Session is a cache and should operate as a cache.  For example, refill the cache if the cache is empty for any reason like a timeout.  Authentication is token that provides access to secured resources.  If the token has expired or does not exist then the user must re-authenticate.

    IMHO, you have a design bug if you need to sync Session and Authentication. 

    However, both have configuration where you can set the timeout to the identical values.  This is openly published information depending on the what kind of application and security API.  ASP.NET uses the web.config and maybe OWIN Auth.  Core uses DI.

    Friday, April 12, 2019 1:34 PM