5

I have a weird issue happening with RC2.

I have setup Identity 3 ExpireTimeSpan to 12 hours using the following configuration option

options.Cookies.ApplicationCookie.ExpireTimeSpan = new TimeSpan(12,0,0);

After logging in to the website and leaving it untouched for ~35-40mins, I get a 401 error (for my ajax post calls) and refreshing the website, I get back to the login page.

Why do I have to reauthenticate when I have setup the ExpireTimeSpan to 12hours?

Is there another setting or configuration that I need?

Also,

How can I get the time left before the expiry occurs? I would like to access that information so I could warn my users that their session will expire after X time.

Thanks!

Improve this question

1 Answer 1

Reset to default
8

I found the problem

The problem lies with the SecurityStamp mechanism. By default, every 30 minutes, the security stamp is validated. This mostly due to the fact that sign in everywhere is an option. The security stamp is updated usually in identity when the user changes password for instance. This will make all the locations where the user has signed on (except the one where he changed his password) sign out after 30mins because the stamp (usually a guid) has changed.

To implement this functionality, Implement the ISecurityStampStore<T> interface in your UserStore and implement the GetSecurityStampAsync(User user, CancellationToken cancellationToken) method

For more info you can check the security stamp validator code and the reason why it signs you out after 30mins

https://github.com/aspnet/Identity/blob/dev/src/Microsoft.AspNetCore.Identity/SecurityStampValidator.cs

Note: The options.SecurityStampValidationInterval can be set to increase the time check, but it doesn't resolve the problem. After X time, you will still be signed out.

Improve this answer
Sign up to request clarification or add additional context in comments.

10 Comments

So there is no rolling expiration or anything like that? That sucks! I think this is what I need also. My cookie is timing out at 30 minutes, even though my session continues to stay validated...
Can you post your code as it sits in your project. I still can't get mine working even incorporating the changes that you mentioned. Startup.cs file, etc
Are you using a DB as a backend? Active Directory? It all depends of your envrionment! If you can do a fiddler or something where we can see the code, it would be helpful!
Yes, DB backend, all hosted on Azure. I'll try it again tonight and get back to you.
did you ever find a solution for this in regards to it being fixed in .net? cheers.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.