5

I have a weird issue happening with RC2.

I have setup Identity 3 ExpireTimeSpan to 12 hours using the following configuration option

options.Cookies.ApplicationCookie.ExpireTimeSpan = new TimeSpan(12,0,0);

After logging in to the website and leaving it untouched for ~35-40mins, I get a 401 error (for my ajax post calls) and refreshing the website, I get back to the login page.

Why do I have to reauthenticate when I have setup the ExpireTimeSpan to 12hours?

Is there another setting or configuration that I need?

Also,

How can I get the time left before the expiry occurs? I would like to access that information so I could warn my users that their session will expire after X time.

Thanks!

DOMZE
  • 1,369
  • 10
  • 27

1 Answers1

8

I found the problem

The problem lies with the SecurityStamp mechanism. By default, every 30 minutes, the security stamp is validated. This mostly due to the fact that sign in everywhere is an option. The security stamp is updated usually in identity when the user changes password for instance. This will make all the locations where the user has signed on (except the one where he changed his password) sign out after 30mins because the stamp (usually a guid) has changed.

To implement this functionality, Implement the ISecurityStampStore<T> interface in your UserStore and implement the GetSecurityStampAsync(User user, CancellationToken cancellationToken) method

For more info you can check the security stamp validator code and the reason why it signs you out after 30mins

https://github.com/aspnet/Identity/blob/dev/src/Microsoft.AspNetCore.Identity/SecurityStampValidator.cs

Note: The options.SecurityStampValidationInterval can be set to increase the time check, but it doesn't resolve the problem. After X time, you will still be signed out.

DOMZE
  • 1,369
  • 10
  • 27
  • So there is no rolling expiration or anything like that? That sucks! I think this is what I need also. My cookie is timing out at 30 minutes, even though my session continues to stay validated... – ganders Dec 30 '16 at 14:06
  • Can you post your code as it sits in your project. I still can't get mine working even incorporating the changes that you mentioned. Startup.cs file, etc – ganders Mar 30 '17 at 17:52
  • Are you using a DB as a backend? Active Directory? It all depends of your envrionment! If you can do a fiddler or something where we can see the code, it would be helpful! – DOMZE Mar 31 '17 at 17:39
  • Yes, DB backend, all hosted on Azure. I'll try it again tonight and get back to you. – ganders Mar 31 '17 at 17:42
  • did you ever find a solution for this in regards to it being fixed in .net? cheers. – dreza Sep 20 '17 at 23:42
  • @dreza what do you mean? – DOMZE Sep 21 '17 at 18:20
  • @DOMZE Just seems strange that the validator would sign you out even if you hadn't done anything. So was wondering if you knew if this was by design or a bug etc? – dreza Sep 24 '17 at 23:57
  • @dreza it won't sign you out if you validate the security stamp. If the stamp hasn't changed, it won't signout. If it did change, it will – DOMZE Sep 25 '17 at 13:21
  • @DOMZE oh ok, I'm getting signed out and it appears to be because of this. I thought that is what you said in your NOTE comment in your question? "After X time, you will still be signed out." – dreza Sep 25 '17 at 21:35
  • @dreza ya if you don't validate the timestamp is what it meant ;-) – DOMZE Sep 26 '17 at 13:45