1

My identity authentication setup seems to ignore the .AspNetCore.Identity.Application cookie after it exceeds browser session or something else (at around 30 minutes). I can set the application cookie expiration to shorter periods like 1 minute, and that will work as expected, but when I try something like 10 hours, something else forces a logout by 30-ish minutes. I can't tell which part is causing the log out. I set IsPersistant to true by checking Remember Me. I can see the cookie in the browser, and the expires/Max-Age is being set to 10 hours, and doesn't disappear when I get kicked to the login.

looked at this(and many similar questions) ASP.NET Core MVC: setting expiration of identity cookie

used this for ajax actions Handling session timeout with Ajax in .NET Core MVC

Startup.cs

   services.AddIdentity<EntityFramework.ApplicationUser, IdentityRole>()
                .AddEntityFrameworkStores<ApplicationDbContext>()
                .AddDefaultTokenProviders();

   services.Configure<IdentityOptions>(options =>
            {
                //password options
                options.Password.RequiredLength = 8;
                options.Password.RequiredUniqueChars = 3;

                //Lockout options
                options.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(5);
            });

services.ConfigureApplicationCookie(options =>
            {
                //timeout span
                options.Cookie.Expiration = TimeSpan.FromHours(10);
                options.ExpireTimeSpan = TimeSpan.FromHours(10);
                options.Cookie.MaxAge = TimeSpan.FromHours(10);
                options.LoginPath = "/Account/Login";

                //https://stackoverflow.com/questions/55344665/handling-session-timeout-with-ajax-in-net-core-mvc
                options.Events.OnRedirectToLogin = (context) =>
                {
                    //identify if Ajax (json request)
                    if (context.Request.ContentType != null && context.Request.ContentType.Contains( "application/json"))
                    {

                        context.HttpContext.Response.StatusCode = 401;
                    }
                    else
                    {
                        context.Response.Redirect(context.RedirectUri);
                    }
                    return Task.CompletedTask;
                };
            });
   services.AddAuthentication(options =>
            {
                options.DefaultScheme = IdentityConstants.ApplicationScheme;
            })

In my Login action

await _signInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, lockoutOnFailure: false);
Joshua Lee
  • 43
  • 1
  • 1
  • 6
  • Add some breakpoints or add logging to identify what code is executed to narrow it down. For example are you sure the content type is always lower case `application/json` and not something like `Application/JSON`? – Silvermind Jul 16 '19 at 19:15
  • 1
    Additionally I would set the sliding expiration of the cookie to true. With each login the expiration will be reset to the configured value. – Peter Jul 16 '19 at 20:08
  • Any answers to this question? – Subliminal Hash Feb 27 '21 at 11:28
  • This seems similar to https://stackoverflow.com/questions/45595615/cookie-authentication-expiring-too-soon-in-asp-net-core – Keith Lubell Oct 25 '21 at 13:38

0 Answers0