I have an ASP.net MVC webapp, which is using Azure AD B2C to authenticate the users. The cookie in ASP.net mvc app is set to expire after 20 minutes rolling timeout. The settings in the AD B2C are as follows :
Here is the sequence :
Why is the Azure AD B2C cookie not expiring and user not being asked to authenticate again ? I would assume that using the settings above in AD B2C should cause the user to re-login, which is my desired behaviour.
Note, The "Keep me signed in" option is disabled and cannot be set by the user.
Also,I am not using offline_access scope and hence a refresh token is not given to my app. So it is not the refresh token that is causing the issue.
You might be experiencing the same issue as I have. See the answer on Azure AD B2C logout after session timeout
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With