IdentityServer4 how to set server cookie expiration

Question

So far I've seen how to set expiration for the client webapp's cookie (thank you v0id): IdentityServer4 cookie expiration

There are actually two cookies used by IdentityServer4 - the client cookie and server cookie ("idsrv").

If I set the client cookie expiration as given here: IdentityServer4 cookie expiration then when I close the browser and go back to a client webapp page where I need to be authorized, I get access denied because the browser session no longer has the server cookie.

So I need a way to set the "idsrv" cookie expiration to be the same as the client.

Currently, the best way I see to set the server cookie (it is being ignored or dropped somehow) is the following code block in the IdentityServer4 host Startup.cs / ConfigureServices() method:

services.AddIdentityServer(options =>
            {
                options.Authentication.CookieLifetime = new TimeSpan(365, 0, 0, 0);
                options.Authentication.CookieSlidingExpiration = true;
            })

That should set the cookie's expiration to one year later. However, in Chrome developer tools under the Application tab, cookies, I see that it still has an expired expiration default date in 1969.

I downloaded the IdentityServer4 project source, removed the nuget package, and added the source project to my solution so I could debug through it.

I see that it gets the expiration I gave it in the ConfigureInternalCookieOptions.cs / Configure() method. It's matching the DefaultCookieAuthenticationScheme inside as well / applying the properties. I haven't found anything specific to IdentityServer that would ignore the expiration date I've set, but it still has the 1969 expiration.

Edit: I've attempted to set the cookie persistent in the IdentityServer host's AccountController as follows (interestingly enough, Microsoft has a good article around using authenticationproperties without using AspNet Identity here: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/cookie?tabs=aspnetcore2x - it is sending information in a cookie, "scheme" is just the cookie name): In the ExternalLoginCallback():

if (id_token != null)
        {
            props = new AuthenticationProperties();
            props.ExpiresUtc = DateTimeOffset.UtcNow.Add(AccountOptions.RememberMeLoginDuration);
            props.IsPersistent = true;
            props.StoreTokens(new[] { new AuthenticationToken { Name = "id_token", Value = id_token } });
        }

None of the server side cookies have their expiration set (the AccountOptions RememberMeLoginDuration is also set to 365 days). Both "idsrv" and "idsrv.session" still have a 1969 expiration.

Answer 1

You can configure Identity Server's authentication cookie lifetime when you register Identity Server in your Startup.cs, like this:

services.AddIdentityServer(options =>
{
    options.Authentication.CookieLifetime = TimeSpan.FromHours(10);
})

Note: you also need to indicate that the cookie should be persistent when logging the user in. If you're using the Quickstart UI, then you have to tick the "Remember me" checkbox on the login screen to get a persistent cookie. Or you can modify the code to always issue a persistent cookie - something like this:

HttpContext.SignInAsync(subject, name, new AuthenticationProperties{ IsPersistent = true});