Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Cookie expiry in ASP.NET Core 2.0 with Identity

Environment: ASP.NET Core 2.0, Identity with cookies.

In Startup.ConfigureServices() there is this:

services.ConfigureApplicationCookie(options => {
  options.ExpireTimeSpan = TimeSpan.FromDays(14);
  options.Cookie.Expiration = TimeSpan.FromDays(14);
});

The first is from CookieAuthenticationOptions. The second is from CookieBuilder. The docs also mention Microsoft.AspNetCore.Http.CookieOptions.Expires (though it's not available in that lambda).

What is the difference between these? What is the correct way to set an expiry time in Core2?

like image 491
grokky Avatar asked Aug 25 '17 06:08

grokky


2 Answers

The following is what I am using to set the expiry for the cookie in a test application that I use.

public class Startup
{
    ...

    // This method gets called by the runtime. Use this method to add services to the container
    public void ConfigureServices(IServiceCollection services)
    {
        // Add framework services.
        ...

        ...  // before services.AddMvc();!
        services.AddAuthentication().AddCookie(options => {
            options.Cookie.Expiration = TimeSpan.FromDays(14);
            options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Strict;
            options.Cookie.Name = "MyCookieName";
            options.LoginPath = "/Account/Login";
            options.AccessDeniedPath = "/Account/Forbidden";
        });

        // OR Perhaps, this could be what you need
        services.ConfigureApplicationCookie(options =>
        {
            options.Cookie.Expiration = TimeSpan.FromDays(150);
            options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Strict;
            options.Cookie.Name = "MyCookieName";
            options.LoginPath = "/Account/Login";
            options.AccessDeniedPath = "/Account/Forbidden";
        });
        ...
    }

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline
    public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
    {
        ... // before app.UseMvc();!
        app.UseAuthentication();
        // WAS -> app.UseCookieAuthentication();
        ...
    }
    ...
}

I think this should get you going in the right direction.

This works for me, and I haven't noticed any issues yet. Although, it's only been a couple of weeks since the Core 2.0 RTM. :)

Hope this helps.

like image 124
R. Richards Avatar answered Oct 08 '22 17:10

R. Richards


This code workds for me. Only second block changes cookie expiration

services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
        .AddCookie(options =>
        {
            // Cookie settings
            options.Cookie.HttpOnly = true;
            options.Cookie.SameSite = SameSiteMode.Strict;
            options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
            options.LoginPath = "/Account/Login";
            options.LogoutPath = "/Account/Logout";
            options.AccessDeniedPath = "/Account/AccessDenied";
        });

        services.ConfigureApplicationCookie(options =>
        {
            // Cookie settings, only this changes expiration
            options.Cookie.HttpOnly = true;
            options.Cookie.Expiration = TimeSpan.FromDays(150);
            options.ExpireTimeSpan = TimeSpan.FromDays(150);
        });
like image 44
Sergey Ostanevich Avatar answered Oct 08 '22 16:10

Sergey Ostanevich