Search code examples
asp.net-mvcasp.net-mvc-5owinasp.net-identity-2

Using cookies to stay signed in with third party login providers and Microsoft.AspNet.Identity.Owin 2.0

I've followed this tutorial in an attempt to use several third party login providers with a simple ASP.NET MVC SPA application I am writing. While configuration is simple enough (I've actually enabled Twitter and Microsoft), and the sign-in process works correctly, the user credentials are stored in a browser session cookie only and do not persist across browser sessions.

I've also tried using the alpha-1 sample project from NuGet (with the same basic configuration applied) and it also does not work (at least in my environment).

The web application is only hosted locally (as I do not have an Azure account in which to test).

I thought the setting ExpireTimeSpan would affect it, but it does not:

 // Enable the application to use a cookie to store information for the signed in user
app.UseCookieAuthentication(GetCookieAuthenticationOptions());


private static CookieAuthenticationOptions GetCookieAuthenticationOptions()
{
    var options = new CookieAuthenticationOptions
    {
        AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
        CookieSecure = CookieSecureOption.SameAsRequest,
        SlidingExpiration = true,
        CookieName = "MYSECURITY",
        ExpireTimeSpan = TimeSpan.FromDays(45.0),
        LoginPath = new PathString("/Account/Login"),
        Provider = new CookieAuthenticationProvider
        {
            OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                validateInterval: TimeSpan.FromMinutes(20),
                regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
        }
    };

    return options;
}

Cookies (I changed the default name of the cookie intentionally to validate that the code was executing -- it doesn't work with the default either):

Cookies with session expiration

Solution

  • The MVC Single Page Application project template in Visual Studio contains the following method in the AccountController which forces all all external logins to not be persistent across browser sessions:

    public async Task<ActionResult> ExternalLoginCallback(string returnUrl)
{
    // ...
    await SignInAsync(user, isPersistent: false);
    // ...
}

    If you are comfortable with the security implications of trusting an identity that has been authenticated by an external provider across browser sessions, you could set isPersistent = true when calling SignInAsync.

    Also be aware that any persistent login will be made non-persistent once the SecurityStampValidator fires the regenerateIdentity callback (which will occur after 20 minutes in your sample code above). See the question ExpireTimeSpan ignored after regenerateIdentity / validateInterval duration in MVC Identity (2.0.1) for discussion on this behavior.