Can we personalize Session Timeout for Roles in ASP.NET MVC 5

Question

The idea is to set different values of Session Timeout for different User Roles in ASP.NET MVC 5 and ASP.NET Identity.

Is it possible to do?

Answer 1

If you are trying to boot admins out sooner than regular users, here is my stub on this in Identity.

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    // other stuff
    Provider = new CookieAuthenticationProvider
    {
        // this function is executed every http request and executed very early in the pipeline
        // and here you have access to cookie properties and other low-level stuff. 
        // makes sense to have the invalidation here
        OnValidateIdentity = async context =>
        {
            // invalidate user cookie if user's security stamp have changed
            var invalidateBySecirityStamp = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                    validateInterval: TimeSpan.FromMinutes(30),
                    regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager));
            await invalidateBySecirityStamp.Invoke(context);

            // check if user is in admin role
            var isAdmin = context.Identity.Claims.Any(c => c.Type == ClaimTypes.Role && c.Value == "AdminRoleName");

            // check if enough time has passed to invalidate cookie
            var currentUtc = DateTimeOffset.UtcNow;
            if (context.Options != null && context.Options.SystemClock != null)
            {
                currentUtc = context.Options.SystemClock.UtcNow;
            }

            var issuedUtc = context.Properties.IssuedUtc;
            var bootThemOut = (issuedUtc == null);
            if (issuedUtc != null)
            {
                var timeElapsed = currentUtc.Subtract(issuedUtc.Value);
                bootThemOut = timeElapsed > TimeSpan.FromMinutes(3); // invalidate admin cookies in 3 minutes
            }

            if (isAdmin && bootThemOut)
            {
                context.RejectIdentity();
                context.OwinContext.Authentication.SignOut(context.Options.AuthenticationType);
            }
        }
    }
});            

Answer 2

Based on their role you could set the timeout, i.e.

HttpContext.Current.Session.Timeout = 20;

Going by your previous question you want to do this dynamically. You could store and update the times themselves in session and set for each role on OnActionExecuting of a base controller.

    if (User.IsInRole("Admin"))
    {
        filterContext.HttpContext.Session.Timeout = 
(int)filterContext.HttpContext.Session["AdminTimeoutThatYouSetSomewhereElseGlobally"];
    }