4

I'm securing a web app with identity server 3. My app is split into 2 oidc clients a ASP.Net MVC client and a javascript(angular) client which uses the oidc-client javascript library.

When a user first visits the web app we redirect for log in to identity server, which logs in the mvc client. The javascript client is then logged in using the silent login feature from the oidc-library.

I would like to control how often the user has to visit the logon page to sign in again and I would like to set this so that users have to visit the logon page either once a day or every 8 hours.

Is there a setting in identity server that controls how long the user session is active without having to sign in again.

I have searched the docs and found a number of Lifetime settings but its not clear which of these I should be using and so far trial & error hasn't yielded any results.

Twisted
  • 2,939
  • 4
  • 32
  • 54

1 Answers1

3

What you are looking to control is the lifetime for the cookie IdentityServer itself issues. Once this cookie expires, the next time one of the client applications need to authenticate again, the user will need to reenter their credentials.

This cookie lifetime is controlled in the CookieOption found in the AuthenticationOptions of the IdentityServerOptions (see below) and defaults to 10 hours.

var options = new IdentityServerOptions
{
    Factory = factory,
    SigningCertificate = Cert.Load(),
    AuthenticationOptions = new AuthenticationOptions
    {
        CookieOptions = new IdentityServer3.Core.Configuration.CookieOptions
        {
            ExpireTimeSpan = TimeSpan.FromHours(24)
        }
    }
};
Scott Brady
  • 5,498
  • 24
  • 38
  • 1
    Thanks for that. I've tried to change the timeout to 2 mins for testing but it doesn't have an effect. When I debug in chrome I can see that the cookies are all set as session instead of having an expiry. Is there another setting to change this behaviour which I can use in conjunction. I've looked at CookieOptions but nothing stands out? – Twisted Feb 22 '17 at 11:03
  • 1
    If you don't click the 'remember me' button on the login page, then you get a session cookie. Otherwise you'll get a cookie with a lifetime you've stated. To get around this and force your cookie lifetime, in `CookieOptions` set `IsPersistent` to true and `AllowRememberMe` to false. – Scott Brady Feb 22 '17 at 11:58
  • Check out https://identityserver.github.io/Documentation/docsv2/configuration/authenticationOptions.html for full write ups for all of these options. – Scott Brady Feb 22 '17 at 11:59
  • 1
    I had tried the IsPersistent option already in conjuction with the ExpireTimeSpan option and this hadn't worked. I didn't set AllowRememberMe so I will give it a try although it seems odd that this would control if the cookie was persistent or session. The documentation implies that the RememberMeDuration setting comes in to play with AllowRememberMe and not the ExpireTimeSpan – Twisted Feb 23 '17 at 19:53