0

How can I sign out a user form ASP.NET Core MVC 3.1.27 application after 5 minutes of inactivity or so. I have created the application using Azure Identity platform (Azure AD) as authentication type.

I tried implementing it using one of microsoft documentation but it is not working for me. please find the documentation link. https://learn.microsoft.com/en-us/aspnet/core/fundamentals/app-state?view=aspnetcore-6.0

I have added session Middleware in Configure method of startup.cs class

I have added session Middleware in Configure method of startup.cs class

I have added session Dependency Injection service in ConfigureServices method of startup.cs class

I have added session Dependency Injection service in ConfigureServices method of startup.cs class

Thanks in advance for your help.

Anuraj
  • 18,859
  • 7
  • 53
  • 79
pallavi sinha
  • 1
  • 1
  • when we integrate Azure ad in to asp.net core MVC app following the official sample, it provides a sign-out button which let users sign out, so normally we need to go to the specific sign out page to log out the user. when we want to sign out manually, we also need to to similar action and I don't think that is what you want. Another way is control the sign in state by ID token, so we can try to set [token lifetime](https://docs.microsoft.com/en-us/azure/active-directory/develop/configure-token-lifetimes#create-a-policy-for-web-sign-in) policy. But it requires Azure AD Premium P1 license – Tiny Wang Sep 08 '22 at 09:19

1 Answers1

0

• You will have to use the ‘authenticationElement’ within your ASP.Net application to identify the users who view your application by using either the ‘configuration Element’, ‘system.web Element’ or ‘authentication Element’ in the application schema along with the attributes and child elements such as ‘mode, forms, passport’ as shown below which needs to be edited in the ‘web.config’ file of the application: -

<authentication mode="Windows">
 <forms 
  name=".ASPXAUTH" 
  loginUrl="login.aspx" 
  defaultUrl="default.aspx" 
  protection="All" 
  timeout="30" 
  path="/" 
  requireSSL="false" 
  slidingExpiration="true" 
  cookieless="UseDeviceProfile" domain="" 
  enableCrossAppRedirects="false">
  <credentials passwordFormat="SHA1" />
  </forms>
 <passport redirectUrl="internal" />
</authentication>

• Once, the above authentication element schema is implemented, this will ensure that the user gets logged out after the specified period of inactivity. Also, along with the above, you can also configure the ‘app's cookie’ in ‘Program.cs’ by calling the ‘ConfigureApplicationCookie’ class as below by calling the ‘AddIdentity’ or ‘AddDefaultIdentity’ parameters as shown below: -

 builder.Services.ConfigureApplicationCookie(options =>
 {
options.AccessDeniedPath = "/Identity/Account/AccessDenied";
options.Cookie.Name = "YourAppCookieName";
options.Cookie.HttpOnly = true;
options.ExpireTimeSpan = TimeSpan.FromMinutes(60);
options.LoginPath = "/Identity/Account/Login";
// ReturnUrlParameter requires 
//using Microsoft.AspNetCore.Authentication.Cookies;
    options.ReturnUrlParameter = 
  CookieAuthenticationDefaults.ReturnUrlParameter;
options.SlidingExpiration = true;
});

Wherein the ‘ExpireTimeSpan’ is duration after which the cookie will expire and ‘SlidingExpiration’ will tell the parent handler, i.e., ‘ConfigureApplicationCookie’ and ‘authentication Element’ in the application schema to issue a new cookie with the configured expiration time. Thus, by implementing the above, you can configure the inactivity timeout in your ASP.Net application.

For more information, kindly refer to the below links for clarification: -

https://learn.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/532aee0e(v=vs.100)?redirectedfrom=MSDN

https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity-configuration?view=aspnetcore-6.0&viewFallbackFrom=aspnetcore-2.1

Kartik Bhiwapurkar
  • 4,550
  • 2
  • 4
  • 9