Last post Jul 13, 2017 03:49 PM by neptunecentury
Jun 30, 2017 08:19 PM|neptunecentury|LINK
We are adding Two-Factor authentication in our app using ASP.NETIdentity Framework, and want to know how long the remember browser cookie lasts? I have read some places that say 2 weeks and other say 30 days.
What is the default time and is there a way to change it?
Jul 04, 2017 02:22 AM|Cathy Zou|LINK
As far as I know. ASP.NET Identity uses OWIN middleware for cookie-based authentication. We need to configure the OWIN cookie middleware to store a two-factor authentication cookie in the request. The cookie middleware in the application is configured during
application start via the ConfigureAuth method in Startup.Auth
You also could check the following links:
Jul 13, 2017 12:17 PM|neptunecentury|LINK
I decided to try and find the expiration time. Using Chrome, I inspected the cookie created when signing in with two-factor auth, and noted that the expire time was exactly 14 days from the date it was created. So, the remember browser cookie lasts 14 days
So, what I would like to do is change that to 30 days.
The link posted by Cathy Zou, https://stackoverflow.com/questions/37086645/how-to-set-asp-net-identity-cookies-expires-time only discusses how to
change the "remember me" cookie for persistence. Unfortunately, it does not work for the remember browser cookie generated by using 2FA. We already have a custom expire time set to 90 days, in the CookieAuthenticationOptions, but this does
not change the expire time for UseTwoFactorRememberBrowserCookie
Any ideas on how I can achieve this?
Jul 13, 2017 03:49 PM|neptunecentury|LINK
After looking through the source code of the Identity framework,, I found a way to achieve what I wanted.
Internally, UseTwoFactorRememberBrowserCookie does something like this:
Private Const CookiePrefix = ".AspNet."
' Use a cookie to remember the browser
Dim rememberBrowserCookieType = DefaultAuthenticationTypes.TwoFactorRememberBrowserCookie
' Do this for remember browser, because internally, it does the same thing, but omits the expire time.
' Here we will set the expire time
app.UseCookieAuthentication(New CookieAuthenticationOptions With
.AuthenticationType = rememberBrowserCookieType,
.AuthenticationMode = AuthenticationMode.Passive,
.CookieName = CookiePrefix + rememberBrowserCookieType,
.ExpireTimeSpan = TimeSpan.FromDays(30)
Using the above code, I can set the expire time to 30 days. It would be nice if the built-in extension method had an overload or an optional parameter to pass in an expire time, like some other methods do. (hint
Here's a reference to the source: