Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the default session expiry in .NET Core 2.x?

In my startup class, I am enabling session storage with this line:

        services.AddDistributedMemoryCache()
        .AddSession(options =>
            {
                options.IdleTimeout = TimeSpan.FromMinutes(20);
                options.Cookie.HttpOnly = true;
            })

However, if I understand this correctly, setting the IdleTimeout property simply states that the session will begin anew if the user does not complete any actions for > 20 minutes. My app has polling which uses user information in the session storage every 5-10 seconds, so I don't think this would ever be of use here. User permissions and roles can change from actions made outside of the current user's browser, so I would like to limit the session storage to 1 minute. I can't seem to find any exact verbiage on what the default expiration is or how to properly set that.

The CookieBuilder class has Expiration and MaxAge options, but I don't know which one is necessary. I've also read that Expiration is ignored, so that adds even more to my confusion in this subject.

Update: I receive this message when I try to set the expiration: "Expiration cannot be set for the cookie defined by SessionOption", so I've set MaxAge to 1 minute, yet I can see that the session still has old user data in it after more than 1 minute has passed.

like image 684
Dinerdo Avatar asked May 01 '19 16:05

Dinerdo


Video Answer


1 Answers

Session does not have an 'expiration' like cookies do, but the default Idle Timeout is 20 minutes, and can be adjusted using the IdleTimeout option.

Session only expires after the idle timeout period has elapsed. Additionally, the idle timeout starts after the last request is received.

For your case, the session will not expire because you poll every 5 - 10 seconds (checking the session data). This polling is seen as a 'request' to the .net core, and resets the timeout.

You can verify this by disabling the polling, and creating a page with a button that checks the session data. Wait for a period of time (ex: 20 seconds), and click the button.

Make sure that you set the Idle Timeout to a low value:

options.IdleTimeout = TimeSpan.FromSeconds(10);

Here is a link to the Documentation on Session.

like image 70
Tony Abrams Avatar answered Oct 24 '22 12:10

Tony Abrams