44

In my ASP.NET Core MVC app the lifetime of the authentication cookie is set to 'Session', so it lasts until I close the browser. I use the default authentication scheme for MVC:

app.UseIdentity();

How can I extend the lifetime of the cookie?

user1620696
  • 10,825
  • 13
  • 60
  • 81
severin
  • 5,203
  • 9
  • 35
  • 48

6 Answers6

50

The ASP.NET Identity middleware which you are using is a wraper around some calls to UseCookieAuthentication which includes the Cookie Authentication middleware on the pipeline. This can be seen on the source code for the builder extensions of the Identity middleware here on GitHub. In that case the options needed to configure how the underlying Cookie Authentication should work are encapsulated on the IdentityOptions and configured when setting up dependency injection.

Indeed, looking at the source code I linked to you can see that the following is run when you call app.UseIdentity():

var options = app.ApplicationServices.GetRequiredService<IOptions<IdentityOptions>>().Value;
app.UseCookieAuthentication(options.Cookies.ExternalCookie);
app.UseCookieAuthentication(options.Cookies.TwoFactorRememberMeCookie);
app.UseCookieAuthentication(options.Cookies.TwoFactorUserIdCookie);
app.UseCookieAuthentication(options.Cookies.ApplicationCookie);
return app;

To setup the IdentityOptions class, the AddIdentity<TUser, TRole> method has one overloaded version which allows to configure the options with one lambda. Thus you just have to pass in a lambda to configure the options. In that case you just access the Cookies properties of the options class and configure the ApplicationCookie as desired. To change the time span you do something like

services.AddIdentity<ApplicationUser, IdentityRole>(options => {

    options.Cookies.ApplicationCookie.ExpireTimeSpan = TimeSpan.FromHours(1);

});

EDIT: The ExpireTimeSpan property is only used if when calling HttpContext.Authentication.SignInAsync we pass in an instance of AuthenticationProperties with IsPersistent set to true.

Trying out just with the Cookie Authentication Middleware it turns out that this works: if we just sign in without this option, we get a cookie that lasts for the session, if we send this together we get a cookie which lasts what we setup when configuring the middleware.

With ASP.NET Identity the way to do is pass the parameter isPersistent of the PasswordSignInAsync with value true. This ends up being a call to SignInAsync of the HttpContext passing in the AuthenticationProperties with the IsPersistent set to true. The call ends up being something like:

var result = await _signInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, lockoutOnFailure: false);

Where the RememberMe is what configures if we are setting IsPersistent to true or false.

user1620696
  • 10,825
  • 13
  • 60
  • 81
  • Thanks, using this I am able to change the name of the cookie using this approach, but even if I set ExpireTimeSpan the lifetime of the auth cookie is set to 'Session'. Any idea why? This is my Startup.cs: https://github.com/severisv/MyTeam/blob/master/src/MyTeam/Startup.cs I tried disabling Facebook-auth. I am not using https. – severin Jan 25 '16 at 16:37
  • 1
    @fiskeboss I added an edit about what I found out concerning this matter. – user1620696 Jan 25 '16 at 17:17
  • I'm on Core RC1 and it does not seem to work. The PasswordSignInAsync works but does not send an auth cookie in the response – Jay Byford-Rew Jun 09 '16 at 09:54
  • 'IsPersistent' was really helpful ;) – Søren Jun 14 '16 at 13:51
  • @user1620696 the 'async' part in SignInAsync matters? Because I'm using SignIn – ninbit Oct 05 '20 at 21:08
  • @user1620696 Sorry to say this in comment but i set IsPersistent=false so when user close the browser next time user will should be logout but still after user open the browser the cookie exists and user still login. Any idea how can i do that? – Ali Poustdouzan Sep 02 '21 at 15:45
29

There's an answer for version 2.0 but it didn't work for me. I had to do:

services.ConfigureApplicationCookie(options =>
{
    options.ExpireTimeSpan = TimeSpan.FromDays(30);
});

The default value is 14 days.

cheesemacfly
  • 11,622
  • 11
  • 53
  • 72
  • 2
    And it still doesn't work, it sets the expires attribute of the cookie but sets the Expires header to 1/1/1970. – Scott Wilson Feb 10 '21 at 18:52
  • Checked that in net core 5 default expiration period is 14 days. Expires header in response servers mostly for caching it in browser so it doesn't concern cookie. – alanextar Jul 29 '21 at 05:29
15

In ASP.NET Core 2.0 use ExpireTimeSpan property instead of Cookie.Expiration.

services.ConfigureApplicationCookie(options =>
{   
    options.Cookie.Name = "CookieName";         
    options.ExpireTimeSpan = TimeSpan.FromHours(24);
    options.SlidingExpiration = true;               
});

From docs:

Cookie.Expiration: Gets or sets the lifespan of a cookie. Currently, this option no-ops and will become obsolete in ASP.NET Core 2.1+. Use the ExpireTimeSpan option to set cookie expiration.

BorisSh
  • 531
  • 4
  • 3
  • 4
    This isn't true anymore. Here's the excerpt from the docs with regards to v2.1 `ExpireTimeSpan`: The TimeSpan after which the authentication ticket stored inside the cookie expires. ExpireTimeSpan is added to the current time to create the expiration time for the ticket. The ExpiredTimeSpan value always goes into the encrypted AuthTicket verified by the server. It may also go into the Set-Cookie header, but only if IsPersistent is set. To set IsPersistent to true, configure the AuthenticationProperties passed to SignInAsync. The default value of ExpireTimeSpan is 14 days. – Igor Soloydenko Jul 12 '18 at 04:53
  • Source: https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?tabs=aspnetcore2x&view=aspnetcore-2.1 – Igor Soloydenko Jul 12 '18 at 04:53
13

For ASP.NET Core 2.0 

  services.ConfigureApplicationCookie(options =>
        {
            options.Cookie.Name = "CookieName";
            options.Cookie.Expiration = TimeSpan.FromDays(2);
        });
Ahmed Al Jabry
  • 1,367
  • 13
  • 9
  • 2
    I also put `options.ExpireTimeSpan = TimeSpan.FromDays(2);` - one of them will be right even if MS keeps changing its mind how to do it. – gbjbaanb Nov 04 '18 at 19:44
  • @gbjbaanb `options.ExpireTimeSpan` is application value stored (and protected) inside the cookie, which browser or attacker won't have access to; whereas `options.Cookie.Expiration` is a timespan that will be communicated to the browser. Both timestamps usually have to be aligned in order to avoid unexpected expiration. – timmi4sa Jan 11 '21 at 20:07
  • @timmi4sa: It's not that simple. On newer versions of .Net Core, `options.Cookie.Expiration` actually triggers a configuration exception, warning that it should not be used. – Brian Feb 23 '21 at 20:08
2

Try

app.UseIdentity().UseCookieAuthentication(
    new CookieAuthenticationOptions
    {
        ExpireTimeSpan = TimeSpan.FromHours(1)
    }
);
Damien Dennehy
  • 3,937
  • 2
  • 19
  • 21
1

For some reason I had the issue when using SignInAsync([..], true) the cookie was never be shown in browser (and properly the login failed):

So, I tried adding the UTC timezone difference into the TimeSpan of ExpireTimeSpan

services.AddIdentity<ApplicationUser, IdentityRole>(o =>
{
    // add TimeSpan with 5 minutes plus timezone difference from Utc time
    o.Cookies.ApplicationCookie.ExpireTimeSpan = DateTime.Now.Subtract(DateTime.UtcNow).Add( TimeSpan.FromMinutes(5) );

});

Voila! It worked and the cookie is shown with +5min expiration only in browser.

PingBack to github.com https://github.com/aspnet/Identity/issues/766#issuecomment-253237576

Ole K
  • 754
  • 1
  • 9
  • 32
  • Where do ApplicationUser and IdentityRole come from? – jjxtra Feb 27 '19 at 17:33
  • Guess I followed the instruction from here: https://learn.microsoft.com/de-de/aspnet/core/migration/identity?view=aspnetcore-2.2. Most of it is inherited from IdentityUser – Ole K Feb 27 '19 at 17:46