Cookie Authentication expiring too soon in ASP.NET Core

Question

I have a ASP.NET Core 1.1.2 project in which I am using cookie authentication. I am having a problem where users are being prompted to log back in after being idle for an hour or less, and losing work. The code below is what I'm using in the Configure function in Startup.cs to set this up and from what I can tell, it should expire after at least 8 hours. BTW, ProjectProcessFlow is just the name of the project.

  app.UseCookieAuthentication(new CookieAuthenticationOptions()
  {
    AuthenticationScheme = "ProjectProcessFlow",
    LoginPath = new PathString("/Account/Login/"),       
    ExpireTimeSpan = new TimeSpan(8, 0, 0),
    SlidingExpiration = true,
    AutomaticAuthenticate = true,
    AutomaticChallenge = true
  });

I am including Microsoft.AspNetCore.Authentication.Cookies v1.1.2 in NuGet. What do I need to do to get the login expiration to happen at the expected time?

Additional Information:

I found that when the timeout happened and the user was asked to login again, a warning was recorded in the Event Viewer on the server that it couldn't find the logs folder under the project. So I created that folder, and waited for the timeout to happen again. When that happened, a log file was created in that folder that contained this:

Hosting environment: Production
Content root path: C:\inetpub\wwwroot\Sprout
Now listening on: http://localhost:13423
Application started. Press Ctrl+C to shut down.

When I repeated this process, the same thing happened, except that a different number appeared after "localhost:". I should mention that the project name is ProjectProcessFlow, but the URL ends in Sprout.

It's just a conjecture but it might be related, have you enabled sessions too? Via `services.AddSession`? — Hamid Mosalla, Aug 10 '17 at 12:32
Yes, both AddSession and UseSession are being called in Startup.cs — Rono, Aug 10 '17 at 13:11
There should also be a setting inside of your web.config file. — Travis J, Aug 14 '17 at 20:35

Mojtaba Karimi · Answer 1 · 2019-09-25T12:55:15.750

13

I know that is too late for answering this question, but for whom facing this. The IIS reset pool every 20 minutes and every 20 mins ASP.NET generate new key for protect cookie values (Authentication and Session). to prevent this, add following code to ConfigureServices in Startup class

services.AddDataProtection()
                .PersistKeysToFileSystem(new System.IO.DirectoryInfo("SOME WHERE IN STORAGE"))
                //.ProtectKeysWithCertificate(new X509Certificate2());
                .SetDefaultKeyLifetime(TimeSpan.FromDays(90));

A complete guide is here. It is all about DataProtection

edited Sep 25 '19 at 12:55

answered Jun 12 '19 at 14:42

Mojtaba Karimi

426
7
10

1

ASP.Net Core 3.0 I tend to agree, but I am seeing this problem. When the auth cookie expires, the user is redirected to login with a redirect URL back to where they were. This can be to places in the app that require specific session values to be present. I have seen the app force the login, then successfully redirect into the session protected area with the data the user had before being forced to login. This would not be possible if the session and auth cookies were in anyway linked. The auth cookie is being invalidated without a loss of session, so that cookie key is not changing. – JRodd Apr 17 '20 at 16:44

Win · Accepted Answer · 2017-10-25T21:04:04.303

8

users are being prompted to log back in after being idle for an hour or less, and loosing work.

I have similar configuration, but it works fine for me.

One thing I can think of is you cannot let web server idle for 20 minutes. IIS's app pool default idle time-out is 20 minutes (I could not say for other Linux web server).

So you could either set longer app pool time-out (0 for infinity), or ping every 5 minutes from external service like Monitis.

edited Oct 25 '17 at 21:04

answered Aug 15 '17 at 19:07

Win

61,100
13
102
181

1

Instead of setting doing one of your suggestions, I changed Idle Time-out Action to Suspend, and that fixed the problem for me. Since you got me 95% of the way there, you get the bounty. – Rono Aug 16 '17 at 18:19
Even if App Pool Recycles, a cookie is stored in user's local computer. The application should detect a valid cookie even if recycling occured a gazillion times. – Thanasis Ioannidis Nov 14 '18 at 08:15

score 0 · Answer 3 · answered Aug 16 '17 at 12:13

Do you have services.AddIdentity set up in your ConfigureServices method?

            services.AddIdentity<ApplicationUser, IdentityRole>(config =>
        {               
            //  Require a confirmed email in order to log in
            config.SignIn.RequireConfirmedEmail = true;
            // Cookie settings
            config.Cookies.ApplicationCookie.ExpireTimeSpan = TimeSpan.FromHours(10);
            config.Cookies.ApplicationCookie.LoginPath = "/Account/LogIn";
            config.Cookies.ApplicationCookie.LogoutPath = "/Account/LogOut";
        }).AddEntityFrameworkStores<ApplicationDbContext>().AddDefaultTokenProviders();

I had a similar issue and resolved it here ASP.NET MVC Core Identity & Cookies

Cookie Authentication expiring too soon in ASP.NET Core

3 Answers3

Linked

Related