1

I am facing a weird problem. I am able to do the silent renew, but my IdP cookie is getting sliding. More into the problem...

I have an IdP session cookie (IdentityServer) lifetime set to expire in 15 minutes and I kept the same time for the access token and id token lifetime too.

On my JavaScript client, I check user activity every 2 minutes and if there is activity in the last 2 min, I will renew the token.

I am able to get the access token and id token with renewed expiration times, but after 15 minutes (the IdP cookie life time) silent renew calls are failing and IdP is logging out.
I checked response of silent renew call, I see no cookies being set (with new sliding expiration times) in the response headers.

Are there any settings I am supposed to enable at the server side? Appreciate your help.

Wim Ombelets
  • 5,097
  • 3
  • 39
  • 55
hashbytes
  • 769
  • 1
  • 8
  • 26
  • Have you configured the cookie authentication scheme to use sliding expiration? – mackie Nov 14 '18 at 13:08
  • Yes I did and i am using default cookie scheme only. – hashbytes Nov 14 '18 at 13:16
  • I think it will only renew the cookie if you hit the site after it's past half way to expiry - is it possible that you're missing that window? – mackie Nov 14 '18 at 13:57
  • is it not possible to override this behavior? I need keep sliding the cookie to 30 more minutes from the last time i do silent renew, if I have 30 min as cookie life time, then at 14th min, if i do silent renew, I have to slide the cookie to another 30 min from that point which is until 44th minute from the time user logs in... – hashbytes Nov 14 '18 at 15:32

1 Answers1

2

As @mackie mentioned in the comments, the cookie will slide only if it's past half way to expiry... and this has nothing to do with Identity Server, but .NET framework

I was able to overcome it by doing this:

public class CustomCookieOptions : IConfigureNamedOptions<CookieAuthenticationOptions>
{
    private readonly AppConfiguration _appConfiguration;
    private const string UTC_DATE_TIME_FORMAT = "r";
    private const string EXPIRES_KEY = ".expires";

    public CustomCookieOptions(IOptions<AppConfiguration> appConfiguration)
    {
        _appConfiguration = appConfiguration.Value;
    }

    public void Configure(CookieAuthenticationOptions options)
    {
    }

    public void Configure(string name, CookieAuthenticationOptions options)
    {
        options.Events.OnValidatePrincipal = context =>
        {
            if (context.Principal.Identity.IsAuthenticated &&
                options.Cookie.Name == IdentityServerConstants.DefaultCookieAuthenticationScheme)
            {
                if (context.Properties.Items.ContainsKey(EXPIRES_KEY)
                    && context.Request.Path.Value.StartsWith("/connect/authorize"))
                {
                    var expiresAt = DateTimeOffset.Parse(context.Properties.Items[EXPIRES_KEY]);
                    if (DateTimeOffset.UtcNow <= expiresAt)
                    {
                        context.ShouldRenew = true;
                        context.Properties.Items[EXPIRES_KEY] =
                            DateTimeOffset.UtcNow.AddSeconds(_appConfiguration.CookieLifetimeInSeconds)
                                .ToString(UTC_DATE_TIME_FORMAT, CultureInfo.InvariantCulture);
                    }
                }
            }
            return Task.CompletedTask;
        };
    }

And then register it:

services.AddSingleton<IConfigureOptions<CookieAuthenticationOptions>, CustomCookieOptions>();
Gokulnath
  • 1,166
  • 15
  • 29