Home How to fix ASP.NET Identity to keep the authentication session for longer?
Reply: 0

How to fix ASP.NET Identity to keep the authentication session for longer?

Dragan B.
1#
Dragan B. Published in 2017-12-07 20:47:41Z

I have a web app which is MVC 5 app with Microsoft.AspNet.Identity authentication. Authentication properties are defined at the Startup class which by the default for my project came from the template and it looked like this:

public partial class Startup
{
    public void ConfigureAuth(IAppBuilder app)
    {
        app.CreatePerOwinContext(ApplicationDbContext.Create);
        app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
        app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);

        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/Account/Login"),
            Provider = new CookieAuthenticationProvider
            {
                OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                    validateInterval: TimeSpan.FromMinutes(15),
                    regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
            }
        });            
        app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
        app.UseTwoFactorSignInCookie(DefaultAuthenticationTypes.TwoFactorCookie, TimeSpan.FromMinutes(5));
        app.UseTwoFactorRememberBrowserCookie(DefaultAuthenticationTypes.TwoFactorRememberBrowserCookie);
    }
}

Client called me and told me that he is very unhappy because on the production website he is logged-in and everything is OK with the app, but he gets a phone call and he talks with somebody for a few minutes and it kicks him out on the next request back to the log in screen. This is very frustrating for him because this happens only after a few minutes of inactivity. He would like this to be at least for half an hour. I set the validateInterval to 30 minutes and nothing changed whatsoever. I started looking around the net to try and find something. In the end following the advice from other posts at SO I changed the ConfigureAuth method to look like this:

public void ConfigureAuth(IAppBuilder app)
{
    app.CreatePerOwinContext(ApplicationDbContext.Create);
    app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
    app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);

    app.UseCookieAuthentication(new CookieAuthenticationOptions
    {
        AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
        LoginPath = new PathString("/Account/Login"),
        Provider = new CookieAuthenticationProvider
        {
            OnValidateIdentity = async (context) =>
            {
                await SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                    validateInterval: TimeSpan.FromMinutes(20),
                    // Note that if identity is regenerated in the same HTTP request as a logoff attempt,
                    // the logoff attempt will have no effect and the user will remain logged in.
                    // See https://aspnetidentity.codeplex.com/workitem/1962
                    regenerateIdentity: (manager, user) =>
                        user.GenerateUserIdentityAsync(manager)
                )(context);

                var newResponseGrant = context.OwinContext.Authentication.AuthenticationResponseGrant;
                if (newResponseGrant != null)
                    newResponseGrant.Properties.IsPersistent = true;
            }
        }
    });            
    app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
}

This was done with hope that the cookie would persist but it does not. If I look at the ASP.NET application cookie information in my Chrome I can see that it now sets expiration for it half an hour from now but it still does not make any difference and it expires as can be seen from the screenshot.

Before this cookie had a session expiration, just like the second one, but even this does not help that it looks proper now if it does not behave properly. I don't have any idea on what to do. Any pointer is welcome. Thanks.

You need to login account before you can post.

About| Privacy statement| Terms of Service| Advertising| Contact us| Help| Sitemap|
Processed in 0.348601 second(s) , Gzip On .

© 2016 Powered by mzan.com design MATCHINFO