Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

IdentityServer4 how to set server cookie expiration

So far I've seen how to set expiration for the client webapp's cookie (thank you v0id): IdentityServer4 cookie expiration

There are actually two cookies used by IdentityServer4 - the client cookie and server cookie ("idsrv").

If I set the client cookie expiration as given here: IdentityServer4 cookie expiration then when I close the browser and go back to a client webapp page where I need to be authorized, I get access denied because the browser session no longer has the server cookie.

So I need a way to set the "idsrv" cookie expiration to be the same as the client.

Currently, the best way I see to set the server cookie (it is being ignored or dropped somehow) is the following code block in the IdentityServer4 host Startup.cs / ConfigureServices() method:

services.AddIdentityServer(options =>
            {
                options.Authentication.CookieLifetime = new TimeSpan(365, 0, 0, 0);
                options.Authentication.CookieSlidingExpiration = true;
            })

That should set the cookie's expiration to one year later. However, in Chrome developer tools under the Application tab, cookies, I see that it still has an expired expiration default date in 1969.

I downloaded the IdentityServer4 project source, removed the nuget package, and added the source project to my solution so I could debug through it.

I see that it gets the expiration I gave it in the ConfigureInternalCookieOptions.cs / Configure() method. It's matching the DefaultCookieAuthenticationScheme inside as well / applying the properties. I haven't found anything specific to IdentityServer that would ignore the expiration date I've set, but it still has the 1969 expiration.

Edit: I've attempted to set the cookie persistent in the IdentityServer host's AccountController as follows (interestingly enough, Microsoft has a good article around using authenticationproperties without using AspNet Identity here: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/cookie?tabs=aspnetcore2x - it is sending information in a cookie, "scheme" is just the cookie name): In the ExternalLoginCallback():

if (id_token != null)
        {
            props = new AuthenticationProperties();
            props.ExpiresUtc = DateTimeOffset.UtcNow.Add(AccountOptions.RememberMeLoginDuration);
            props.IsPersistent = true;
            props.StoreTokens(new[] { new AuthenticationToken { Name = "id_token", Value = id_token } });
        }

None of the server side cookies have their expiration set (the AccountOptions RememberMeLoginDuration is also set to 365 days). Both "idsrv" and "idsrv.session" still have a 1969 expiration.

like image 408
JakeJ Avatar asked Mar 19 '18 15:03

JakeJ


People also ask

How do I set cookie expiry time?

You can extend the life of a cookie beyond the current browser session by setting an expiration date and saving the expiry date within the cookie. This can be done by setting the 'expires' attribute to a date and time.

How do I set cookies to expire at end of session?

To set a cookie so it expires at the end of the browsing session, simply OMIT the expiration parameter altogether. Save this answer.

What is Idsrv session cookie?

In addition to the authentication cookie, IdentityServer will issue an additional cookie which defaults to the name “idsrv. session”. This cookie is derived from the main authentication cookie, and it used for the check session endpoint for browser-based JavaScript clients at signout time.

What happen if cookie expires max age is session?

Cookies without an Expires or Max-Age attribute are treated as session cookies, which means they are removed once the browser is closed. Setting a value on either Expires or Max-Age makes them permanent cookies, since they will exist until they hit their expiry date.


1 Answers

You can configure Identity Server's authentication cookie lifetime when you register Identity Server in your Startup.cs, like this:

services.AddIdentityServer(options =>
{
    options.Authentication.CookieLifetime = TimeSpan.FromHours(10);
})

Note: you also need to indicate that the cookie should be persistent when logging the user in. If you're using the Quickstart UI, then you have to tick the "Remember me" checkbox on the login screen to get a persistent cookie. Or you can modify the code to always issue a persistent cookie - something like this:

HttpContext.SignInAsync(subject, name, new AuthenticationProperties{ IsPersistent = true});
like image 105
Peter Avatar answered Sep 19 '22 20:09

Peter