Search code examples
asp.net-mvcasp.net-identityowin

Why is cookie's expiration date is 'Session' when using Owin

My web application is MVC5. I'm calling an url of IdentityServer4 application to authenticate user when logging in. Here is the method ConfigureAuth of Startup class in my application

public void ConfigureAuth(IAppBuilder app)
    {
        JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();            

        var authority = LayeredConfiguration.GetValue("HydraInsuranceWeb-UserManagement-Authority");
        var redirectUri = LayeredConfiguration.GetValue("HydraInsuranceWeb-UserManagement-RedirectUri");

        app.UseCookieAuthentication(new CookieAuthenticationOptions {
            AuthenticationType = "Cookies",
            SlidingExpiration = false,
            ExpireTimeSpan = System.TimeSpan.FromMinutes(2),
            CookieName = "MyTestCookie"
        });

        app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
        {
            Authority = authority,
            ClientId = AuthConstants.InsuranceWebClientId,
            Scope = "openid profile user.management hydra.eventhistory.api",
            RedirectUri = redirectUri,
            ResponseType = "code id_token",

            SignInAsAuthenticationType = "Cookies",
            UseTokenLifetime = false,

            Notifications = new OpenIdConnectAuthenticationNotifications
            {
                SecurityTokenValidated = n =>
                {
                    try
                    {
                        var transformedHydraIdentity = new HydraIdentityBuilder(n.AuthenticationTicket.Identity)
                                .AllowSecurityAdmin()
                                .IncludeRoleProfiles()
                                .IncludeIdToken(n.ProtocolMessage.IdToken)
                                .IncludeStandardClaims()
                                .Build();

                        n.AuthenticationTicket = new Microsoft.Owin.Security.AuthenticationTicket(
                            transformedHydraIdentity,
                            n.AuthenticationTicket.Properties);
                    }
                    catch (Exception ex)
                    {
                        n.HandleResponse();
                        n.Response.Redirect("/Error/NoAuthorization");

                        DiagnosticService.Writer.AddError("Authentication Error", ex);
                    }

                    return Task.FromResult(0);
                },
            }
        });
    }

After logging in, the cookie's expiration is always "Session", not the current time plus 2 minutes. cookies

But my expectation is the cookie's expiration is a specific datetime, it should be current time plus 2 minutes. If user doesn't operate in 2 minutes, jump to the login page.

Has anyone known this issue? Please tell me how to investigate or debug to know why cookie's expiration is changed.

And there are 2 cookies: .AspNet.Cookies and MyTestCookie. Which cookie is used to authenticate user?

Solution

  • You need to set IsPersistent to True when signing in.

    AuthenticationManager.SignIn(new AuthenticationProperties{ IsPersistent = true, ExpiresUtc = DateTimeOffset.UtcNow.AddMinutes(30)}, userIdentity);