Cookie.ExpireTimeSpan ignored and set to Session in CookieAuthentication

Question

I'm having an issue while trying to set the expire time of a cookie in my CookieAuthentication, it seems that ExpireTimeSpan is just ignored and when i get the cookie in the browser it's expire time is set to Session..

I'm using c# 8.0 w/ .NET Core 3.1 and here is my ConfigureService code:

    public void ConfigureServices(IServiceCollection services)
    {

        services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
        .AddCookie(options => {
            options.Cookie.Name = "authToken";
            options.ExpireTimeSpan = TimeSpan.FromMinutes(120);
            options.Events = new CookieAuthenticationEvents()
            {
                OnRedirectToLogin = (context) =>
                {
                    context.HttpContext.Response.Redirect("https://example.com/test/expired.html");
                    return Task.CompletedTask;
                }
            };
        });
        services.AddControllers();
    }

But that's how i get it

Answer 1

options.ExpireTimeSpan = TimeSpan.FromMinutes(120); instructs how long authentication ticket itself is valid.

Controls how much time the authentication ticket stored in the cookie will remain valid from the point it is created The expiration information is stored in the protected cookie ticket. Because of that an expired cookie will be ignored even if it is passed to the server after the browser should have purged it.

This is separate from the value of , which specifies how long the browser will keep the cookie.

Docs

You want to control cookie expiration using Expiration property on Cookie property.

public void ConfigureServices(IServiceCollection services)
{

    services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
    .AddCookie(options => {
        options.Cookie.Name = "authToken";
        /// control cookie expiration
        options.Cookie.Expiration = TimeSpan.FromMinutes(120);
        options.ExpireTimeSpan = TimeSpan.FromMinutes(120);
        options.Events = new CookieAuthenticationEvents()
        {
            OnRedirectToLogin = (context) =>
            {
                context.HttpContext.Response.Redirect("https://example.com/test/expired.html");
                return Task.CompletedTask;
            }
        };
    });
    services.AddControllers();
}

Alternatively, you can set MaxAge property too.

Answer 2

I have an application in .net core 3.1 my ConfigureServices looks like this:

services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie(options =>
{
    //options.Cookie = new CookieBuilder() { Name = "EcomAuth" };
    options.LoginPath = "/Account/Login/";
    options.AccessDeniedPath = "/Account/AccessDenied";
    options.LogoutPath = "/Account/Logout";
    options.ExpireTimeSpan = TimeSpan.FromMinutes(120);
});

for some bug, when I set the cookie name the code stops working, so this line is commented out. This is my login action

List<Claim> claims = new List<Claim>
{
    new Claim(ClaimTypes.Name, user.Name, ClaimValueTypes.String),
    new Claim(ClaimTypes.Role, userType.Name, ClaimValueTypes.String),
    new Claim("Idusuario",user.IdUser.ToString(), ClaimValueTypes.String),
};

ClaimsIdentity identity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);

var authProperties = new AuthenticationProperties
{
    AllowRefresh = true,
    ExpiresUtc = DateTime.UtcNow.AddMinutes(120),
    IsPersistent = true,
    RedirectUri = "https://localhost:44318/Account/Logout"
};

await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, new ClaimsPrincipal(identity), authProperties);

its working fine to me.