ASP.NET Identity 2 Remember Me - User Is Being Logged Out

Asked 5/1, 2015 at 23:0 Answered 17/7, 2020 at 8:24

Solved c#asp.net-mvc-5 remember-me asp.net-identity-2

I am using Identity 2.1 in my MVC5 app. I am setting the isPersistent property of the PasswordSignInAsync to true to enable 'Remember Me':

var result = await SignInManager.PasswordSignInAsync(model.Username, 
  model.Password, 
  true, 
  shouldLockout: false);

But if I stay logged in overnight, then when I refresh the page in the morning, it logs me out and I have to sign in again. How do I prevent automatic logging out until the user manually logs out?

Is it something to do with the Cookie Authentication that identity uses? I don't really understand the CookieAuthenticationOptions that are set in Startup.Auth.cs.

new CookieAuthenticationProvider
{  
   OnValidateIdentity = SecurityStampValidator
      .OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
      validateInterval: TimeSpan.FromMinutes(30),
      regenerateIdentity: (manager, user)
      => user.GenerateUserIdentityAsync(manager))
}

Cardinal answered 5/1, 2015 at 23:0 Comment(7)

validateInterval: TimeSpan.FromMinutes(30) means that the cookie is only valid for 30 minutes. SO yeah, it will be expired by morning. – Fruity 5/1, 2015 at 23:27

Great, thanks. I wasn't sure if they were related. – Cardinal 6/1, 2015 at 0:14

@RhysStephens, Did you get the answer which you expected? Every one said to change expireTimeSpan. I need like our application should set to expireTimeSpan, but in case the selected remember me, then token should no expire at any cause until user manually log out. – Buna 10/11, 2016 at 9:11

@JeevaJsb i want something like that as well, have you got the solution ? – Diaz 2/10, 2018 at 11:26

The token expires time cannot be modified as we do in the session. Only we can renew the token manually. We have to do with the "Refreshtoken" feature. But here the tricky we need to do is, we need to do a refresh token after some interval of time. That will help us to keep the user active. Did you try this one? – Buna 3/10, 2018 at 8:49

bitoftech.net/2014/07/16/… – Buna 3/10, 2018 at 8:52

@ErikFunkenbusch validateInterval: TimeSpan.FromMinutes(30) means to validate the cookie every 30 minutes. It does NOT mean the cookie is valid for 30 minutes. Duration of cookie is controlled using ExpireTimeSpan. – Jugular 27/9, 2020 at 13:57

I think you should read this article . There are two different intervals: ValidateInterval and ExpireTimeSpan. And in your case i think you should change the expireTimeSpan, not the ValidateInterval.

Phenazine answered 16/4, 2015 at 8:14 Comment(1)

He is using cookie based authentication. How we can do this for token based authentication? – Buna 10/11, 2016 at 8:49

There is an explanation for TimeSpan parameter in similar question. Simply use the infinite cookies, like this:

OnValidateIdentity = SecurityStampValidator
  .OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
  validateInterval: TimeSpan.FromMinutes(0),
  regenerateIdentity: (manager, user)
  => user.GenerateUserIdentityAsync(manager))

This is also needed for it to work correctly:

Call

await UserManager.UpdateSecurityStampAsync(userId);

before

AuthenticationManager.SignOut();

Hubby answered 5/1, 2015 at 23:29 Comment(10)

This is not working for me. It is still logging me out if I leave it over night.

OnValidateIdentity = SecurityStampValidator                         .OnValidateIdentity<ApplicationUserManager, ApplicationUser>(                         validateInterval: TimeSpan.FromDays(30),                         regenerateIdentity: (manager, user)                         => user.GenerateUserIdentityAsync(manager))

Which cookie is it supposed to be? – Cardinal 13/1, 2015 at 2:34

@RhysStephens in your code you are using the 30-days timeout. But this may not work as it beats some inner limitations. Try to use exactly zero based TimeSpan – Hubby 13/1, 2015 at 11:35

I'll try it out. It's a bit clunky to have to do it this way. – Cardinal 13/1, 2015 at 22:35

This means that the user can never log out, as per the similar answer you mentioned in your answer. Which means I can't set it to zero. – Cardinal 13/1, 2015 at 23:34

@RhysStephens Then I don't understand what exactly you want. – Hubby 14/1, 2015 at 7:35

Well the user still needs to have the option to log out. They should be able to stay logged in if they want to, but can choose to log out whenever they want – Cardinal 15/1, 2015 at 15:18

@RhysStephens The session in this case will end after the user log outs manually. – Hubby 15/1, 2015 at 16:19

It doesn't though, as per the linked pages' explanation. It seems a problem with Identity 2 – Cardinal 17/1, 2015 at 13:22

I have set to 0 and ExpireTimeSpan to one min. Then I made the application idle for 2 mins. Then i clicked something, application gets logged out. – Buna 10/11, 2016 at 12:17

thank you for the comment, please see the @Phenazine answer – Hubby 10/11, 2016 at 15:48

Form this post, the isPersistent parameter sets whether the authentication session is persisted across multiple requests.

Officialese answered 21/9, 2017 at 1:47 Comment(0)

I had this issue. It was caused by my custom UserStore not implementing IUserSecurityStampStore.

public Task<string> GetSecurityStampAsync(IdentityUser user)
{
    return Task.FromResult<string>(user.SecurityStamp);
}

Without a security stamp the SecurityStampValidator has nothing to validate and so logs out the user.

Pearse answered 17/7, 2020 at 8:24 Comment(0)

-1

I should write more. This strange code:

OnValidateIdentity = SecurityStampValidator
  .OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
  validateInterval: TimeSpan.FromMinutes(0),
  regenerateIdentity: (manager, user)
  => user.GenerateUserIdentityAsync(manager))

was causing my app to lost cookie after 1 day. I really don`t know why, but after excluding this code and adding a mashine key to my web.config "remember me" future is finally working right.

My current code is:

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
   AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
   LoginPath = new PathString("/Account/Login"),
   ExpireTimeSpan = TimeSpan.FromDays(5)
});

Phenazine answered 28/4, 2015 at 7:58 Comment(0)

Recommended topics

Hot tags