I'm new to ASP.NET MVC 5 and would like my site to be able to:
- expire the current session and force a log on after m minutes of inactivity
- oblige the user to enter a new password after d days
where m and d are user-specific values stored in the DB
Re session expiration: I'm not sure whether to try to custom-expire the auth cookie or the session cookie or both? It appears that the OWIN/ASP.NET Identity 2.2.1 mechanism only allows for a generic setting for the auth cookie expiration inside ConfigureAuth(IAppBuilder app) thus :
public void ConfigureAuth(IAppBuilder app)
{
app.CreatePerOwinContext(ApplicationDbContext.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
ExpireTimeSpan = // ...some expiration value here
//...other options
});
}
Is there some alternative entry point where I could set a custom value for the current user's auth cookie expiration during authentication? In the old ASP.NET web forms application that this site is replacing it was easy to replace the auth cookie with a custom expiration value after logon, but this does not appear to be accessible in the same way under ASP.NET Identity 2.2.1?
Re forced password renewal: I've seen various filter solutions: one here based on extending the AuthorizeAttribute and overriding the OnAuthorization() method. Another here which extends the ActionFilterAttribute and calls the OnActionExecuting() method. Both look like they would do the job but would be called (presumably?) for every request or every action respectively - which seems like overkill as I only need to check for password expiry once per session?
I'm not sure of best practice here so I'd be grateful for some pointers please.
