locked
ASP.NET MVC5 Identity - Cookie expiration RRS feed

  • Question

  • User423024577 posted

    Hi.

    I need your help or suggestions for the "MVC5 Identity - Cookie expiration".

    For a business application our users are demanding that they can choose an individual expiration time between 10 and 60 minutes. The second requirement of our customers is this expiration time have to be counted always from their LAST action.

    At the moment we have a general expiration timespan of 20 minutes with "slidingexpiration=true" for all users. So first of all we need to set an individual expiration timespan per user.

    The second requirement "counting timespan from LAST ACTION" is more complicated. As you know the slidingexpiration only works if the input happens only if the time is more than the half timespan (because of some performance reason). But the users don't unterstand this behaviour and they don't care about it (many discussions with our users in the past and long storys to tell). So they are demanding something like the session behaviour. (I don't want to use sessions in any way for this, because sessions can get lost in other ways, which will cause unexpected logouts).

    A third "requirement" is that it should work with multiple tabs in one browser.

    It think it is not possible to fully handle this on server side - because changing the sliding expiration behaviour will decrease the performance. I think I will need some clientside assistance for this. But for example if the time is reached and I'm redirecting with javascript/jquery and something goes wrong (redirecting doesn't happen or can't be performed or whatever) than the log off maybe not happening. The second would be that it will also log off if the users hasn't done any action in a browser tab, but the log off should only happen if there was no action on all tabs.

    I hope you have any suggestions to solve this requirements.

    Saturday, April 25, 2020 7:47 AM

All replies

  • User475983607 posted

    You never explained the actual problem you are trying to solve.   My answers assume the users want a JavaScript timer that counts down login expiration due to inactivity.

    So first of all we need to set an individual expiration timespan per user.

    You'll need a column in the user table that stores the user's timeout preference in seconds.  Set the token expiration and authentication cookie expiration to the user's preference within the login action.  

    The second requirement "counting timespan from LAST ACTION" is more complicated.

    This is straight forward state management.  Store the timeout preference and the DateTime of the current request in a "login expiration" cookie.  The Datetime must be set on every request.   Write a little JavaScript application that fetches the login expiration cookie values and assigns the two values to JavaScript variables when the page loads.  Name the variables expirationInSeconds and lastRequestDatetime

    All you have to do from there is start a JavaScript timer that decrements the expiration value every second.

    A third "requirement" is that it should work with multiple tabs in one browser.

    Modify the JavaScript application above to check the cookie's last request value on every timer click.  If the last request DateTime has changed then set the simply reset two JavaScript variables to the value found in the cookie.  This works because cookie are set at the browser level not the tab.  All tabs see the same cookie.

    Saturday, April 25, 2020 10:49 AM
  • User423024577 posted

    You'll need a column in the user table that stores the user's timeout preference in seconds.

    How else? It's clear that I have to save this somewhere in a database... and that I have to asign it a the login step. But I havn't specified my question in detail - my fault.

    Question: How can I set an individual ExpireTimeSpan?

    At the startup (startup.auth.cs) file I have configured an ExpireTimeSpan = TimeSpan.FromMinutes(20). I have also configured SlidingExpiration = true.

    On the Login Step "await SignInManager.PasswordSignInAsync" is no option to set a custom ExpireTimeSpan. Do you have an example to set individual ExpireTimeSpan at login step?

    You never explained the actual problem you are trying to solve.   My answers assume the users want a JavaScript timer that counts down login expiration due to inactivity.

    I have explained it:

    At the moment we have a general expiration timespan of 20 minutes with "slidingexpiration=true" for all users.
    Then I have explained the two main requirements: Individual expiration timespan and that the "slidingexpiration" doesn't fit for the users - they are demanding an expiration XX minutes from last action. But this is not how "slidingexpiration" works (only if the last action happens more than half of time).

    But for better unstanding I will give you an example:
    A masseur therapist is doing his therapies for 20min. ExpirationTimeSpan = 30min.

    Login to software at 09:00. Talking with patient about the therapy plan and doing some administrative work in the software until 09:12 (last request = 09:12). The masseur therapist starts the therapy for 20mins (not requests) => ends at 09:32 (masseur therapist not living the room). Now the masseur therapists want to note something at the software at his patient data => but now he is logged out because the authentication cookies has expired at 09:30. The masseur therapist assumes the he is logged in until 09:42, because his last request was at 09:12.

    But the slidingexpiration will only work if he has made a request after 09:15.

    As I found the "slidingexpiration" behaviour is because of some performance reasons. So just manually setting the slidingexpiration of the authentication cookie at every request will decrease the perfomance. Because of this I will need a suitable solution.

    I would need a suggestions how to provide the customer a way that he is logged in XX minutes from his last request (not only in the second half of timespan) - without decreasing the performance.

    This is straight forward state management.  Store the timeout preference and the DateTime of the current request in a "login expiration" cookie.  The Datetime must be set on every request.   Write a little JavaScript application that fetches the login expiration cookie values and assigns the two values to JavaScript variables when the page loads.  Name the variables expirationInSeconds and lastRequestDatetime

    All you have to do from there is start a JavaScript timer that decrements the expiration value every second.

    This will not solve the problem or have I missed something? This isn't synchronized with the ASP.NET Identity authorization cookie? The javascript timer would show "logout in 10 minutes" but the authorization cookie has expired already => A request within the next 10min will cause a redirect to login page.

    Saturday, April 25, 2020 7:05 PM