I have two session related questions
First question Are there any security concerns, if IdentityServer.CookieLifetime is set too long?, such as 6 hours. IdentityServer.CookieLifetime option is used to set the authentication cookie lifetime. For example, my sample code shows authentication cookie lifetime is set to 6 hours. Therefore,users do not have to enter password for 6 hours.
Second question If we want to keep the authentication cookie lifetime shorter and slide the cookie (enable CookieSlidingExpiration), does it work with openid connect silent refresh? Because, the silent refresh keep refresh the page when the current token is about expire. Will the silent refresh trigger cookie sliding forever? any suggestions, thank you
services.AddIdentityServer(options => {
options.Authentication.CookieLifetime TimeSpan.FromSeconds(21600); //6 hours
options.Authentication.CookieSlidingExpiration = false
...}
I hope this helped! Good luck!