I am creating an MVC5 application starting with the standard template generated by VS2013. This is Identity 2.0.
Just using the Individual User Accounts option against my SQL Server database.
This may not be the correct term but: how long does the user’s authorization in the cookie remain valid?
Chrome tools displays the “.AspNet.ApplicationCookie” for my domain expires “When the browsing session ends”.
MSDN says (if I am on the correct page) “By default, the authentication cookie remains valid for the user's session.”
What if the webserver is restarted while the user is away from their browser and then hits refresh, are they still authenticated?
I have all my controllers and api controllers locked down with [Authorize] except the login.
When making ajax calls from Angularjs, will I need to handle Not Authorized and redirect the user back to login?
Sorry for my ignorance, but this membership stuff has taken so many turns that most blogs/answers seem to refer to web.config settings I do not have.
My web.config contains the following:
<system.web>
<authentication mode="None" />
<compilation debug="true" targetFramework="4.5.1" />
<httpRuntime targetFramework="4.5.1" />
</system.web>
<system.webServer>
<modules>
<remove name="FormsAuthentication" />
</modules>
Actually expire time of the cookie set on the Startup.Auth.cs class under App_Start folder.
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Provider = new CookieAuthenticationProvider
{
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(30),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
},
ExpireTimeSpan = TimeSpan.FromHours(8),
SlidingExpiration = true
});
The 'validateInterval' facilitates to update the cookie expire time if the user performing a long task which will avoid user logout middle of an operation.
Restart website does not logged out the user, I have tested this restarting website hosted on azure websites.
As long as you are using default controller actions and default mvc routing, non-authenticated users will be redirected to the login page specified in the above code section 'LoginPath'.
But single page applications behave differently if we are using different routing plugins in that case we have to do some work to get correct redirect url. (e,g: angular to handle routing)
Updated
Actually we only need to worry about returnUrl, because when we using http://www.someDomain.com/#/assessments/list/invite type of url, returnUrl should be #/assessments/list/invite, then the user will be logged out but will be redirected to the correct section when they login again. I have catch the hash part of Url and assign in to the returnUrl in the client side in the Login.cshtml.
<script type="text/javascript">
document.getElementById('ReturnUrl').value = window.location.hash;
</script>
This will be solve that issue.