As authentication has no cleanup on timeout, there is no notion of idle timeout. The session idle timeout, purges session, so it’s empty, even if the session cookie is passed in the future. To do the same for authentication requires adding a last accessed
column to the user record, and updating it on every request. Then the authentication logic would check this column for a idle timeout on every request. This of course would make authentication slower, and more expensive, but easily doable.
Member
37 Points
237 Posts
Cookie on timeout on Idle asp.net 3.0 for web app
Nov 13, 2019 01:25 PM|Ndamu|LINK
Hi Guys,
I want to find out if there is a way to timeout the cookie if the state of the app is idle, like similar to a session as code example below :
services.AddSession(options => { options.IdleTimeout = TimeSpan.FromMinutes(1); //options.Cookie.IsEssential = true; //options.Cookie.HttpOnly = true; });I have the following code as below, but as I understand this only expires the cookie regardless of idle or not
services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme) .AddCookie(options => { options.ExpireTimeSpan = TimeSpan.FromMinutes(1); options.LoginPath = "/Account/Login"; options.Cookie.IsEssential = true; options.Cookie.Expiration = TimeSpan.FromMinutes(1); //options.Cookie.HttpOnly = true; });Is there a cookie : options.IdleTimeout
Please assist.
Thank you in advance.
Regards,
Ndamu
All-Star
45061 Points
19454 Posts
Re: Cookie on timeout on Idle asp.net 3.0 for web app
Nov 13, 2019 02:17 PM|mgebhard|LINK
Set the sliding expiration to true.
https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.authentication.cookies.cookieauthenticationoptions.slidingexpiration?view=aspnetcore-3.0
https://docs.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-3.0
All-Star
54284 Points
13661 Posts
Re: Cookie on timeout on Idle asp.net 3.0 for web app
Nov 13, 2019 03:22 PM|bruce (sqlwork.com)|LINK
As authentication has no cleanup on timeout, there is no notion of idle timeout. The session idle timeout, purges session, so it’s empty, even if the session cookie is passed in the future. To do the same for authentication requires adding a last accessed column to the user record, and updating it on every request. Then the authentication logic would check this column for a idle timeout on every request. This of course would make authentication slower, and more expensive, but easily doable.