Syncing OWIN Cookie Expiration (sliding) and session timeout
Question
Background
I have a semi-single-page application (all server interaction after login takes place on one page via ajax calls) that uses both session storage and OWIN cookie authentication. Both session and cookie expiration are set to 15 minutes and the cookie is configured to use sliding expiration.
On every server interaction, a timer on the client is reset back to 15 minutes. If no activity is recorded for 14 minutes, a modal is displayed with a ticker alerting the user that the session will timeout soon.
Issue
We are running into an issue where in certain cases our session is outliving the OWIN cookie.
Per the CookieAuthenticationOptions class:
The SlidingExpiration is set to true to instruct the middleware to re-issue a new cookie with a new expiration time any time it processes a request which is more than halfway through the expiration window .
We have the scenario where users use the application prior to "half way through the expiration window”, then let the application sit idle for a few minutes. When the users see the session expiration notification, they try to renew their sessions. But since the OWIN cookie was never renewed, the app times out and redirects them to the login page (prematurely based on what the expiration notification says).
This support article illustrates our situation exactly:
Let us take an example: If the logon page is accessed at 5:00 00:00:00 PM, it should expire at 5:10 00:00:00 PM if the timeout attribute is 10 and the slidingExpiration attribute is set to TRUE. Now, if any Web page is browsed again at 5:05 00:00:00 PM, the cookies and ticket time-out period will be reset to 5:15 00:00:00 PM.
Note If the Web page is accessed before half of the expiration time passes, the ticket expiration time will not be reset. Fore example, if any Web page is accessed again at 5:04 00:00:00 PM, the cookies and ticket timeout period will not be reset.
Question/Comments
Has anyone ever run into this before? How do we avoid it? Adjusting the OWIN timeout only prolongs the issue.
I can't help to think that this is either a terrible design flaw in the OWIN framework, OR we are not using it correctly.
Any help is appreciated. Thanks.
1 answers
solution1
2 ACCPTED
The solution we ended up implementing was a work-around with our keep-alive logic. I really wish they would have implemented the "sliding expiration" in more of a traditional sense, but this will have to do for now.
Solution:
Only send keep-alive requests to the server until AFTER half of the OWIN cookie life passes. When the keep-alive is sent, the cookie will be renewed and this keeps the session and cookie timeout in sync.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.