locked
Owin authentication slidingexpiration not working with authentication mode None RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote
    User1743392732 posted

    I'm working with ASP.NET MVC application session, trying to implement ADFS authentication with OWIN using "UseCookieAuthentication" and "UseWsFederationAuthentication".

    The ADFS authentication only works when I set authentication mode="None" in the web.config

    The problem is that when I set authentication mode="None" and, for example, session timeout = 2 minutes, the session ends at 2 minutes after the login. Sliding expiration is not working and the user gets logged out even while using the site.

    When I set authentication mode="Forms" the session behavies perfectlly and the user gets logged out only if 2 minutes passed after the last request, but the ADFS authentication stops working.

    Does someone knows something about this problem?

    I need slidingExpiration to work with authentication mode="None"...

    Code:

    app.SetDefaultSignInAsAuthenticationType(DefaultAuthenticationTypes.ApplicationCookie);

    app.UseCookieAuthentication(new CookieAuthenticationOptions {

                    CookieManager = new SystemWebCookieManager(),

                    SlidingExpiration = true,

                    ExpireTimeSpan = TimeSpan.FromMinutes((double)sessionTimeout),

                    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,

                    CookieName = CookieAuthenticationDefaults.CookiePrefix + DefaultAuthenticationTypes.ApplicationCookie,

    });

    app.UseWsFederationAuthentication(new WsFederationAuthenticationOptions

                {

                    Wtrealm = realm,

                    MetadataAddress = adfsMetadata,

                    Wreply = replay,

                    AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Passive,

                    SignInAsAuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,

                    UseTokenLifetime = false

                }

    And web.config:

    <sessionState timeout="2" cookieName="MB_SEID"></sessionState>

    <authentication mode="None">

    <forms loginUrl="~/Home/Index" defaultUrl="/" path="/" name="UID" timeout="2" protection="All" slidingExpiration="true" enableCrossAppRedirects="true" />

    </authentication>

    Monday, February 4, 2019 8:16 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    User475983607 posted

    Don't use Forms Authentication with OWIN cookie authentication.  Forms Authentication is built into the .NET framework OWIN is like a plugin framework.  Also sessionState in the web.config has nothing to do with OWIN Cookie authentication or ADFS.

    Monday, February 4, 2019 8:35 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User1743392732 posted

    Thanks a lot for your quick response.

    mgebhard

    Don't use Forms Authentication with OWIN cookie authentication.  Forms Authentication is built into the .NET framework OWIN is like a plugin framework.  Also sessionState in the web.config has nothing to do with OWIN Cookie authentication or ADFS.

    I'm using authentication mode="None", but sliddingExpiration is not working and user gets logged out even if there is a request before the configured minutes of inactivity (2 minutes in my example).

    The case with authentication mode="Forms" is only an example, because when using "Forms" session works well, but ADFS stops working.

    Do you know why slidingExpiration is not working when I set authentication mode="None"?

    I really appreciate your help.

    (Post edited, I explain myself in the wrong way. Sorry, English is not my native language. Thank you for undestand.)

    Monday, February 4, 2019 8:42 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User475983607 posted

    I'm using authentication="None", but sliddingExpiration is not working and user gets logged out if there is no request in the configured minutes (2 minutes in my example).

    I do not understand the issue.  Sounds like the configuration is working as expected.  If the user does not make a request in 2 minutes then the cookie expires.

    Monday, February 4, 2019 8:45 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User1743392732 posted

    The problem is user gets logged out after the configured time even if using the site. 

    What I understand is that if slidingExpiration is set to true, cookie expiration will be increased if a request is made before expiration time finishes and the session will continue valid.

    My problem is the session getting invalidated even if the user is using the site.

    Monday, February 4, 2019 8:51 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User1743392732 posted

    ...

    My problem is the session getting invalidated even if the user is using the site.

    If someone knows something about this, please comment. I really would apreciate help from anyone, I'm desesperated.

    Thank you all for your time.

    Tuesday, February 5, 2019 8:33 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User1743392732 posted

    My configuration was alright. The problem was an internal session management unknown by me.
    Thank you all for your help.

    Thursday, February 7, 2019 4:34 PM