locked
Lifetime of auth cookie not starting until session is over. RRS feed

  • Question

  • User-462241089 posted

    I noticed that my auth cookie is not dying after 1 hour, like it should.

                    //in startup.cs
    . . .
    services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme) .AddCookie(options => { options.LoginPath = "/Login/UserLogin"; options.Cookie.IsEssential = true; options.SlidingExpiration = true; options.ExpireTimeSpan = TimeSpan.FromSeconds(10); });

    //in login controller
    . . .
    HttpContext.Session.SetString("UserName", user.username); var role = GetUserRole(user); //Code copied from //https://docs.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-3.1 var claims = new List<Claim> { new Claim(ClaimTypes.Name, user.username), new Claim("username", user.username), new Claim(ClaimTypes.Role, role), }; var claimsIdentity = new ClaimsIdentity( claims, CookieAuthenticationDefaults.AuthenticationScheme); var authProperties = new AuthenticationProperties { AllowRefresh = false, ExpiresUtc = DateTimeOffset.UtcNow.AddMinutes(60), IsPersistent = false };


    I think this might be because I have my session set to close after one hour, too.

                services.AddSession(options =>
                {
                    options.IdleTimeout = TimeSpan.FromSeconds(3600);
                    options.Cookie.HttpOnly = true;
                    options.Cookie.IsEssential = true;
                });

    Now, I use the session to display the current logged in user's username on my webapp, so I need to have the session to last for the one hour a user is allowed to stay logged in.

        string name = HttpContextAccessor.HttpContext.Session.GetString("UserName");
    . . .

    <h3>@name</h3>

    Their log in is handled with cookie authentication, of course. However, I just noticed this problem in my app. It is taking two hours after logging in to see my cookie expire, and after one hour, I see my user's username disappear from the app page (indicating that the session has closed).

    Is my assumption correct? Is the cookie not starting it's timeout countdown until the session is closed?

    Is it possible to set my cookie the delete if the session closes? I need them both to close after one hour.

    Wednesday, December 16, 2020 2:50 AM

Answers

  • User-1330468790 posted

    Hi MarcusAtMars,

     

    Based on the codes you provided, it should not have such a weird behaviour. There might be some codes/setting that leads to this result. 

    You could recreate a simple demo and only add authentication cookies and session cookies to do a test. They will expire at their own expire time.

     

    Is my assumption correct? Is the cookie not starting it's timeout countdown until the session is closed?

    One thing that we could confirm is that the 'Authentication Cookies' does not conflict with "Session".  For example, if the auth cookies should be expired after 15 sec and session cookies should be expired after 10 sec, the auth cookies will be expired 5 sec later after the session cookies expired.

     

    Is it possible to set my cookie the delete if the session closes? I need them both to close after one hour.

    You could write a filter to check session time out and add it to where you need it.

    For example, 

     public class SessionTimeoutAttribute: ActionFilterAttribute {    
                public override void OnActionExecuting(ActionExecutingContext filterContext) {    
                    HttpContext ctx = HttpContext.Current;    
                    if (HttpContext.Current.Session["UserName"] == null) {    
                        filterContext.Result = new RedirectResult("~/Controller/Login");    
                        return;    
                    }    
                    base.OnActionExecuting(filterContext);    
                }    
            }    

    Apart from that, you might need to add below codes as the authentication cookies will be cleared when you reach the login page.

    // Clear the existing external cookie 
    await HttpContext.SignOutAsync( CookieAuthenticationDefaults.AuthenticationScheme);

     

    Hope this help.

    Best regards,

    Sean

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, December 17, 2020 11:38 AM