I have an ASP.NET Core 3.1 application with Identity running on the local IIS and it is configured as follows and as you can see, the cookie is configured to last 3 hours:
Startup.cs
public void ConfigureServices(IServiceCollection services)
{
services.Configure<IdentityOptions>(options =>
{
options.Password.RequireDigit = true;
options.Password.RequireNonAlphanumeric = true;
options.Password.RequireUppercase = true;
options.Password.RequireLowercase = true;
options.Password.RequiredLength = 8;
});
services.ConfigureApplicationCookie(options =>
{
options.Cookie.MaxAge = TimeSpan.FromHours(3);
options.Cookie.Name = "CookieNameBlaBlaBla";
options.Cookie.HttpOnly = true;
options.ExpireTimeSpan = TimeSpan.FromHours(3);
options.LoginPath = new PathString("/login/login");
options.AccessDeniedPath = new PathString("/login/AccessDenied");
options.SlidingExpiration = true;
});
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
app.UseAuthentication();
app.UseAuthorization();
}
LoginController.cs
var result = await _signInManager.PasswordSignInAsync(formModel.Email, formModel.Password, true, lockoutOnFailure: false); // isPersistent forced to be TRUE
The problem is that the application is logging off the user with approximately 30 minutes and this shouldn't happen.
I looked at the Identity documentation at Microsoft but I didn't identify anything wrong or if something is missing.
Can anybody help me?
First you have to follow an order, which is: - First AddSession () - Then AddIdentity () or AddDefaultIdentity () - And the configure methods
Now, Im using a session with the cookie.
Sample code of Startup.cs file:
// First AddSession()
services.AddSession(options =>
{
options.IdleTimeout = TimeSpan.FromMinutes(3);
options.Cookie.MaxAge = TimeSpan.FromHours(3);
options.Cookie.Name = "SessionNameBlaBlaBla";
options.Cookie.HttpOnly = true;
options.Cookie.Expiration = TimeSpan.FromHours(3);
});
// Then AddIdentity() or AddDefaultIdentity()
services.AddIdentity<User, UserRole>(options =>
{
// Password settings.
options.Password.RequireDigit = true;
options.Password.RequireNonAlphanumeric = false;
options.Password.RequireUppercase = false;
options.Password.RequireLowercase = false;
options.Password.RequiredLength = 6;
}).AddDefaultTokenProviders();
// And the configure methods
services.ConfigureApplicationCookie(options =>
{
// Cookie settings
options.Cookie.MaxAge = TimeSpan.FromHours(3);
options.Cookie.Name = "CookieNameBlaBlaBla";
options.Cookie.HttpOnly = true;
options.LoginPath = new PathString("/login/login");
options.AccessDeniedPath = new PathString("/login/AccessDenied");
options.SlidingExpiration = true;
});
My thanks to @Deepak Mishra for helping me.
Because it is dependent upon session, until you check "Remember Me?" (IsPersistent
parameter of PasswordSignInAsync
)
var result = await _signInManager.PasswordSignInAsync(Input.Email, Input.Password, Input.RememberMe, lockoutOnFailure: true);
So either look for a persistent cookie or increase session timeout.
services.AddSession(options =>
{
options.IdleTimeout = TimeSpan.FromHours(3);
});
Also, as per MS Docs, ConfigureApplicationCookie must be called after calling AddIdentity or AddDefaultIdentity.