CookieAuthenticationOptions, ExpireTimeSpan does not work

Asked 26/11, 2013 at 19:16 Answered 2/11, 2022 at 16:1

I have the following code:

    public void ConfigureAuth(IAppBuilder app)
    {
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            ExpireTimeSpan = System.TimeSpan.FromMinutes(1),
            LoginPath = new PathString("/Account/Login"),
            LogoutPath = new PathString("/Account/LogOff")
        });

But login session active more than 1 minute. Also, LogoutPath is not called when time is expired. Why?

Terranceterrane answered 26/11, 2013 at 19:16 Comment(0)

It does expire.

Make sure you do not have any background ajax activity as it extends the session (SlidingExpiration is true by default).

Also I had to manually delete the old cookie after I changed ExpireTimeSpan from the default 14 days to a smaller value.

Colan answered 28/11, 2013 at 7:8 Comment(6)

Deleting the cookies is what did it. – Goop 14/5, 2014 at 13:0

@Adas Petrovas where did you find these defaults, please? – Overton 11/9, 2014 at 0:8

I found it in the Katana source code. See line 24: CookieAuthenticationOptions.cs – Colan 12/9, 2014 at 14:26

Note that thought the cookie itself is set to session expiration (expires only on browser closure), the expiration information is in the protected ticket itself (inside the cookie), thus the ticket could expire if the ExpireTimeSpan has passed, though the cookie didn't expire. – Decapitate 6/10, 2014 at 15:26

@Decapitate Could you elaborate on this please? When I view the cookie info in Chrome console, it always tells me Expires: Session, regardless of whatever value I set in ExpireTimeSpan. Basically I want the cookie to stick around and not expire on session. – Interchangeable 25/11, 2014 at 21:8

Nevermind, I realised you have to also set IsPersistent = true when signing in: context.OwinContext.Authentication.SignIn(new AuthenticationProperties() { IsPersistent = true }, cookieIdentity);. – Interchangeable 25/11, 2014 at 21:32

You must set IsPersistent to true otherwise you don't run code

    ClaimsIdentity claimsIdentity = new ClaimsIdentity(Claims, CookieAuthenticationDefaults.AuthenticationScheme);

                var authProperties = new AuthenticationProperties
                {
                    IsPersistent = true

                };

                await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, new ClaimsPrincipal(claimsIdentity), authProperties);

Charnel answered 27/3, 2019 at 10:2 Comment(0)

I'm posting this here because it took me ages to find and this post comes up every time I searched for the problem, so hopefully this helps someone else

I was using .NET framework 4.8 and OWIN, so my sign in function call looked like:

public virtual Task SignInAsync(
    TUser user,
    bool isPersistent,
    bool rememberBrowser
)

see: https://learn.microsoft.com/en-us/previous-versions/aspnet/mt173757(v=vs.108)

I wasn't using the built in 2FA but was still setting rememberBrowser = true and no matter what I did the ExpireTimeSpan was ignored and it used the default of +14 days.

Once I set rememberBrowser = false everything worked as expected

I hope this saves someone else the entire day of googling and randomly changing stuff this cost me!

Mitigate answered 2/11, 2022 at 16:1 Comment(0)

Recommended topics

Hot tags