Search code examples
asp.net-mvcowinazure-authentication

Azure authentication .net MVC timeout settings

having searched for the answer to this I cant find any way of extending the timeout for a logged in user. legacy .net framework project 4.7, ASP.NET mvc with Microsoft.OWIN packages. The login process appears to work ok. After an hour I get redirected to the microsoft login page even when using the site. sliding expiration does nothing. What settings or techniques do I change to make the session last longer?

The expected behaviour is that the session would be kept alive by using the site by navigating or even having a modal prompt to continue the session would work without losing anything that is in progress by being redirected.

        public void ConfigureAuth(IAppBuilder app)
    {

        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions()
        {
            CookieManager = new SystemWebCookieManager(),
            SlidingExpiration = true
        });
        

        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                ClientId = clientId,
                Authority = AuthenticationConfig.Authority,
                Scope = $"openid email profile offline_access {graphScopes}",
                RedirectUri = redirectUri,
                PostLogoutRedirectUri = postLogoutRedirectUri,
                TokenValidationParameters = new TokenValidationParameters()
                {
                    ValidateIssuer = true,
                    ValidIssuer = tenant,
   
                    NameClaimType = "name",
                },
                Notifications = new OpenIdConnectAuthenticationNotifications
                {

                    RedirectToIdentityProvider = OnRedirectToIdentityProvider,
                    SecurityTokenValidated = OnSecurityTokenValidated,
                    AuthenticationFailed = OnAuthenticationFailed,
                    AuthorizationCodeReceived = OnAuthorizationCodeReceived
                }
            });
    }
Solution

  • In startup class try to use

    Session.Timeout = <value in minutes>;
UseTokenLifetime = false,  //do this for ExpireTimeSpan to be respected
ExpireTimeSpan = TimeSpan.FromMinutes(30);

    ex:

    app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
   {
     ...
     UseTokenLifetime = false,
     ...
   });

    If SlidingExpiration is set to true . For example, if the user logged in and made a second request 19 minutes later the cookie will be re-issued for another 30 minutes.

    Try changing session timeout value in web.config. For example, code in web.config under<system.web> namespace.

     <sessionState timeout="<value in minutes>" />

    In some cases,even when session timeout is increased, session will still expire. some possible reasons might be. session timeout should be less than Application pool idle timeout, so if you increase session timeout, you have to increase application idle timeout too. Otherwise, application will get recycled. Hence sessions will expire automatically. note that if you use Forms Authentication, you'll need to increase forms timeout too in web.config :

    <system.web>
     ...
      <authentication mode="Forms">
        <forms timeout="60"/>
      </authentication>

    ...
    </system.web>

    Also please check Configure token lifetime if needed

    References:

    1. configuring-authentication-session-controls
    2. Session-Timeout-Expiration