Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Cookie Authentication expiring too soon in ASP.NET Core

I have a ASP.NET Core 1.1.2 project in which I am using cookie authentication. I am having a problem where users are being prompted to log back in after being idle for an hour or less, and losing work. The code below is what I'm using in the Configure function in Startup.cs to set this up and from what I can tell, it should expire after at least 8 hours. BTW, ProjectProcessFlow is just the name of the project.

  app.UseCookieAuthentication(new CookieAuthenticationOptions()
  {
    AuthenticationScheme = "ProjectProcessFlow",
    LoginPath = new PathString("/Account/Login/"),       
    ExpireTimeSpan = new TimeSpan(8, 0, 0),
    SlidingExpiration = true,
    AutomaticAuthenticate = true,
    AutomaticChallenge = true
  });

I am including Microsoft.AspNetCore.Authentication.Cookies v1.1.2 in NuGet. What do I need to do to get the login expiration to happen at the expected time?

Additional Information:

I found that when the timeout happened and the user was asked to login again, a warning was recorded in the Event Viewer on the server that it couldn't find the logs folder under the project. So I created that folder, and waited for the timeout to happen again. When that happened, a log file was created in that folder that contained this:

Hosting environment: Production
Content root path: C:\inetpub\wwwroot\Sprout
Now listening on: http://localhost:13423
Application started. Press Ctrl+C to shut down.

When I repeated this process, the same thing happened, except that a different number appeared after "localhost:". I should mention that the project name is ProjectProcessFlow, but the URL ends in Sprout.

like image 963
Rono Avatar asked Aug 09 '17 16:08

Rono


People also ask

How long should Auth cookies last?

If there's no expire it's going to be around until the browser is killed. Normally in ASP.Net the session cookies are set with a 20 minute timeout. That's usually pretty good. Depending on your app, you may want a javascript timer as well.

What is cookie authentication in .NET core?

ASP.NET Core provides a cookie authentication mechanism which on login serializes the user details in form of claims into an encrypted cookie and then sends this cookie back to the server on subsequent requests which gets validated to recreate the user object from claims and sets this user object in the HttpContext so ...

What is cookie sliding expiration?

The SlidingExpiration is set to true to instruct the handler to re-issue a new cookie with a new expiration time any time it processes a request which is more than halfway through the expiration window.


2 Answers

I know that is too late for answering this question, but for whom facing this. The IIS reset pool every 20 minutes and every 20 mins ASP.NET generate new key for protect cookie values (Authentication and Session). to prevent this, add following code to ConfigureServices in Startup class

services.AddDataProtection()
                .PersistKeysToFileSystem(new System.IO.DirectoryInfo("SOME WHERE IN STORAGE"))
                //.ProtectKeysWithCertificate(new X509Certificate2());
                .SetDefaultKeyLifetime(TimeSpan.FromDays(90));

A complete guide is here. It is all about DataProtection

like image 60
mojtaba karimi Avatar answered Oct 06 '22 00:10

mojtaba karimi


users are being prompted to log back in after being idle for an hour or less, and loosing work.

I have similar configuration, but it works fine for me.

One thing I can think of is you cannot let web server idle for 20 minutes. IIS's app pool default idle time-out is 20 minutes (I could not say for other Linux web server).

So you could either set longer app pool time-out (0 for infinity), or ping every 5 minutes from external service like Monitis.

enter image description here

like image 38
Win Avatar answered Oct 05 '22 22:10

Win