stackoom
  简体   繁体   中英

ASP.Net External Cookie with Sliding Expiration appearing as a Session cookie

 原文  2018-10-05 21:06:57       asp.net/ cookies/ owin-middleware/ kentor-authservices/ sustainsys-saml2

Question

I am trying to configure a sliding expiration cookie in Asp.Net. I am expecting the cookie to appear in the Google Chrome developer tools cookie manager with an expiration date 5 minutes after authentication, but it shows as "Session" and never expires until the sign-out button is clicked. It does go away if the browser is closed.

Cookie始终设置为会话Cookie

Below is the code as it currently stands. The website uses Saml based Single-Sign-On authentication with Kentor.AuthServices nuget package (now known as SustainSys.Saml2 , we are behind in versions). 

app.CreatePerOwinContext(ApplicationDbContext.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    LoginPath = new PathString("/signin"),
    CookieSecure = CookieSecureOption.SameAsRequest,
    ExpireTimeSpan = TimeSpan.FromMinutes(5),
    SlidingExpiration = true,
    Provider = new CookieAuthenticationProvider
    {
        OnApplyRedirect = ctx => { },
        OnResponseSignIn = context =>
        {
            context.Properties.AllowRefresh = true;
            context.Properties.ExpiresUtc = DateTimeOffset.UtcNow.AddMinutes(5);
        }
    }
});

app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

Kentor.AuthServices.Configuration.Options.GlobalEnableSha256XmlSignatures();

The OnResponseSignIn block was recently added based on this MSDN answer: https://forums.asp.net/t/2121970.aspx?OWIN+Authentication+ExpireTimeSpan+not+working

I want the cookies to expire in a 30-minute inactive period. The above code is set to 5 for ease of testing.

1 answers

solution1
 0  2019-03-19 15:21:12

The developer tools show the cookie expiration time. This is not directly related to the authentication token expiration time, which should in fact be correct for your code too.

As indicated by this comment "The expiration information is stored in the protected cookie ticket". The token expiration time should take effect properly , even if you cannot see it in the developer tools as it's encrypted inside the cookie itself.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question ASP.NET Session Vs Cookie expiration Setting Path and Expiration for session cookie in asp.net Cookie expiration issue in asp.net How do I set the sliding expiration for a cookie that isn't managed by ASP.NET? Set ASP.NET Form Authentication login cookie expiration at the same time as the Session expiration Setting cookie expiration with ASP classic to ASP.NET session sharing solution ASP.NET: How to set HttpCookie expiration time while it remains a session cookie? Concerning the sliding expiration of ASP.NET's forms authentication and session Why is the cookie expiration date not surviving across sessions in ASP.NET? Asp.Net Web API Cookie Expiration on shared hosting env
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM