Asp.net Core 2.0 Identity.TwoFactorRememberMe expiry

Question

I've been looking but I can't find a way of changing the expiry date for the Identity.TwoFactorRememberMe cookie that gets set when you call the signInManager.TwoFactorSignInAsync method and set the "remember client" parameter to true.

This method works great, but the default is 14 days which unfortunately doesn't suit the customer. They would prefer the cookie to be more persistent so their clients aren't filling in 2FA as frequently.

I'm using asp .net core 2.1 - any answers I've come across so far look to be for older versions of identity.

Thanks

Answer 1

To set a custom expiration time for the Two-Factor cookie, there looks to be two different ways:

Option 1: Put the following in your startup after the services.AddAuthentication() call:

services.Configure<CookieAuthenticationOptions>
(IdentityConstants.TwoFactorRememberMeScheme, options =>
{
    //this will override the default 14 day expire time
    options.ExpireTimeSpan = TimeSpan.FromDays(30);
});

Though you should also think about renaming the cookie for information hiding - a quick google search will reveal you are using asp.net identity by looking at the default cookie name. That can be changed at the same time with the Cookie.Name property:

services.Configure<CookieAuthenticationOptions>
(IdentityConstants.TwoFactorRememberMeScheme, o =>
{
    //this will override the default cookie name for information hiding
    o.Cookie.Name = "app.2fa.rememberme";
    //this will override the default 14 day expire time to 30 days
    o.ExpireTimeSpan = TimeSpan.FromDays(30);
});

Option 2: You can change the name and expire time if you are using the AddIdentityCookies() call with your AddAuthentication() call:

services.AddAuthentication().AddIdentityCookies(o =>
{
  o.TwoFactorRememberMeCookie.Configure(a => a.Cookie.Name = "app.2fa.rememberme");
}); 

Note that option 2 will not work if you are also using Identity Server, as it calls this during the UseIdentityServer() call.

For reference, I found out how to do this by looking through the Identity tests: https://github.com/aspnet/Identity/blob/c7276ce2f76312ddd7fccad6e399da96b9f6fae1/test/Identity.Test/IdentityOptionsTest.cs#L77. This is not documented anywhere that I could find and I struggled to finally figure this out. Hopefully this helps the next person that comes along looking how to do this.

While on the topic of information hiding - you may also want to consider renaming the TwoFactorUserId cookie that is used during the code validation upon successful login. That can be done the same way except the IdentityConstant is slightly different:

services.Configure<CookieAuthenticationOptions>
(IdentityConstants.TwoFactorUserIdScheme, options =>
{
    options.Cookie.Name = "app.2fa.userid";
});

services.AddAuthentication().AddIdentityCookies(o =>
{
  o.TwoFactorUserIdCookie.Configure(a => a.Cookie.Name = "app.2fa.userid");
});