ASP.NET Core Identity 3 Cookie timeout

Question

I have a weird issue happening with RC2.

I have setup Identity 3 ExpireTimeSpan to 12 hours using the following configuration option

options.Cookies.ApplicationCookie.ExpireTimeSpan = new TimeSpan(12,0,0);

After logging in to the website and leaving it untouched for ~35-40mins, I get a 401 error (for my ajax post calls) and refreshing the website, I get back to the login page.

Why do I have to reauthenticate when I have setup the ExpireTimeSpan to 12hours?

Is there another setting or configuration that I need?

Also,

How can I get the time left before the expiry occurs? I would like to access that information so I could warn my users that their session will expire after X time.

Thanks!

Answer 1

I found the problem

The problem lies with the SecurityStamp mechanism. By default, every 30 minutes, the security stamp is validated. This mostly due to the fact that sign in everywhere is an option. The security stamp is updated usually in identity when the user changes password for instance. This will make all the locations where the user has signed on (except the one where he changed his password) sign out after 30mins because the stamp (usually a guid) has changed.

To implement this functionality, Implement the ISecurityStampStore<T> interface in your UserStore and implement the GetSecurityStampAsync(User user, CancellationToken cancellationToken) method

For more info you can check the security stamp validator code and the reason why it signs you out after 30mins

https://github.com/aspnet/Identity/blob/dev/src/Microsoft.AspNetCore.Identity/SecurityStampValidator.cs

Note: The options.SecurityStampValidationInterval can be set to increase the time check, but it doesn't resolve the problem. After X time, you will still be signed out.