I set my cookie to expire after 20 minutes if no activity occurs, this 20 minutes is the max limit I am allowed to set on my cookie auth token. The token refreshes for example when the user navigates from one page back to the home screen.
I have a problem where there is a particularly large form my users fill out which can take > 20 minutes for the user to gather the data and fill out the form. After 1 hour a user completely fills out the form and hit save they are hit with an auth expired error and lose their forms progress which was an hour of work.
how i define my auth:
internal static IAppBuilder AddAuthentication(this IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
return app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
CookieName = "MyApplication.Auth.Cookies",
CookieSecure = CookieSecureOption.Always,
CookieSameSite = SameSiteMode.Lax,
SlidingExpiration = true,
Provider = new CookieAuthenticationProvider
{
OnResponseSignIn = context =>
{
context.Properties.AllowRefresh = true;
context.Properties.ExpiresUtc = DateTimeOffset.UtcNow.AddMinutes(20);
},
OnValidateIdentity = context =>
{
Log.Information("Cookie expiry: {expiry} for {url}", context.Properties.ExpiresUtc, context.Request.Uri);
if (!(context.Properties.ExpiresUtc < DateTimeOffset.UtcNow)) return Task.FromResult(0);
Log.Information("Cookie has expired: {expiry} at {utcNow}", context.Properties.ExpiresUtc, DateTimeOffset.UtcNow);
context.OwinContext.Authentication.Challenge(OpenIdConnectAuthenticationDefaults.AuthenticationType);
return Task.FromResult(0);
}
}
});
}
I am looking for any suggestions on how I can make this token refresh based on if the user is actively clicking around and interacting with a form while they are not making any active calls to the backend.
extra info: app is a C# .net 4.8 MVC with a VUE/JS front end
Active calls to backend are in need
Authorization tokens are built so that they cannot be changed on the client side, and this is good for security reasons, which means that you will have to send a request on the client side once in a while to extend the expire date of this token.
One question is what type of token do you use? if you store client information on the server, I would not store the expiration date directly in the token, but I would store it with the client information, assuming that you store information about the client using a token as a key. In that case, extending the validity would not be a problem.
I could also suggest using (JWT - JSON Web Token) could be more suitable for this purpose, all the basic data can be stored directly in the token, and a new one can be generated quickly without losing information when requesting to extend the expire date of the token.
Check: JWT