Search code examples
asp.netasp.net-core.net-coreasp.net-identity

ASP.NET Core 3.1 application with Identity logging off quickly

Problem

I have an ASP.NET Core 3.1 application with Identity running on the local IIS and it is configured as follows and as you can see, the cookie is configured to last 3 hours:

Startup.cs


public void ConfigureServices(IServiceCollection services)
{
    services.Configure<IdentityOptions>(options =>
    {
        options.Password.RequireDigit = true;
        options.Password.RequireNonAlphanumeric = true;
        options.Password.RequireUppercase = true;
        options.Password.RequireLowercase = true;
        options.Password.RequiredLength = 8;
    });

    services.ConfigureApplicationCookie(options =>
    {
        options.Cookie.MaxAge = TimeSpan.FromHours(3);
        options.Cookie.Name = "CookieNameBlaBlaBla";
        options.Cookie.HttpOnly = true;
        options.ExpireTimeSpan = TimeSpan.FromHours(3);

        options.LoginPath = new PathString("/login/login");
        options.AccessDeniedPath = new PathString("/login/AccessDenied");
        options.SlidingExpiration = true;
    });
}

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    app.UseAuthentication();
    app.UseAuthorization();
}

LoginController.cs

var result = await _signInManager.PasswordSignInAsync(formModel.Email, formModel.Password, true, lockoutOnFailure: false); // isPersistent forced to be TRUE

The problem is that the application is logging off the user with approximately 30 minutes and this shouldn't happen.

I looked at the Identity documentation at Microsoft but I didn't identify anything wrong or if something is missing.

Can anybody help me?

Solution

First you have to follow an order, which is: - First AddSession () - Then AddIdentity () or AddDefaultIdentity () - And the configure methods

Now, Im using a session with the cookie.

Sample code of Startup.cs file:

// First AddSession()
services.AddSession(options =>
{
    options.IdleTimeout = TimeSpan.FromMinutes(3);
    options.Cookie.MaxAge = TimeSpan.FromHours(3);
    options.Cookie.Name = "SessionNameBlaBlaBla";
    options.Cookie.HttpOnly = true;
    options.Cookie.Expiration = TimeSpan.FromHours(3);
});

// Then AddIdentity() or AddDefaultIdentity()
services.AddIdentity<User, UserRole>(options =>
{
    // Password settings.
    options.Password.RequireDigit = true;
    options.Password.RequireNonAlphanumeric = false;
    options.Password.RequireUppercase = false;
    options.Password.RequireLowercase = false;
    options.Password.RequiredLength = 6;
}).AddDefaultTokenProviders();

// And the configure methods
services.ConfigureApplicationCookie(options =>
{
    // Cookie settings
    options.Cookie.MaxAge = TimeSpan.FromHours(3);
    options.Cookie.Name = "CookieNameBlaBlaBla";
    options.Cookie.HttpOnly = true;

    options.LoginPath = new PathString("/login/login");
    options.AccessDeniedPath = new PathString("/login/AccessDenied");
    options.SlidingExpiration = true;
});

My thanks to @Deepak Mishra for helping me.

Solution

  • Because it is dependent upon session, until you check "Remember Me?" (IsPersistent parameter of PasswordSignInAsync)

    var result = await _signInManager.PasswordSignInAsync(Input.Email, Input.Password, Input.RememberMe, lockoutOnFailure: true);

    So either look for a persistent cookie or increase session timeout.

    services.AddSession(options =>
{
   options.IdleTimeout = TimeSpan.FromHours(3);
});

    Also, as per MS Docs, ConfigureApplicationCookie must be called after calling AddIdentity or AddDefaultIdentity.