Once the user authenticates with the authentication server, the browser is redirected back to your site. Your configuration sets the authentication cookie timeout and from that point on your site, not Azure AD, validates the authentication cookie.
Your login logic determines if the cookie persists or expires when the browser closes. You can can configure a sliding expiration and the ExpiretimeSpan setting in your OWIN startup configuration.
Once the user authenticates with the authentication server, the browser is redirected back to your site. Your configuration sets the authentication cookie timeout and from that point on your site, not Azure AD, validates the authentication cookie.
Your login logic determines if the cookie persists or expires when the browser closes. You can can configure a sliding expiration and the ExpiretimeSpan setting in your OWIN startup configuration.
I try to login with microsoft. Then try refreshing my site after 5 seconds. It still keeps me authenticated however. Request.IsAuthenticated() keeps returning true.
It is typical for a remote authentication server to set a cookie as well. When the site authentication cookie expires, the browser is redirected to the remote authentication server. The remote server finds the cookie it set when the use logged in and redirect
back to your site.
Azure AD uses two kinds of SSO session tokens: persistent and nonpersistent. Persistent session tokens are stored as persistent cookies by the browser. Nonpersistent session tokens are stored as session cookies. (Session cookies are destroyed when the
browser is closed.) Usually, a nonpersistent session token is stored. But, when the user selects the Keep me signed in check box during authentication, a persistent session token is stored.
Nonpersistent session tokens have a lifetime of 24 hours. Persistent tokens have a lifetime of 90 days. Anytime an SSO session token is used within its validity period, the validity period is extended another 24 hours or 90 days, depending on the token
type. If an SSO session token is not used within its validity period, it is considered expired and is no longer accepted.
You can use a policy to set the time after the first session token was issued beyond which the session token is no longer accepted. (To do this, use the Session Token Max Age property.) You can adjust the lifetime of a session token to control when and
how often a user is required to reenter credentials, instead of being silently authenticated, when using a web application.
It is typical for a remote authentication server to set a cookie as well. When the site authentication cookie expires, the browser is redirected to the remote authentication server. The remote server finds the cookie it set when the use logged in and redirect
back to your site.
Azure AD uses two kinds of SSO session tokens: persistent and nonpersistent. Persistent session tokens are stored as persistent cookies by the browser. Nonpersistent session tokens are stored as session cookies. (Session cookies are destroyed when the
browser is closed.) Usually, a nonpersistent session token is stored. But, when the user selects the Keep me signed in check box during authentication, a persistent session token is stored.
Nonpersistent session tokens have a lifetime of 24 hours. Persistent tokens have a lifetime of 90 days. Anytime an SSO session token is used within its validity period, the validity period is extended another 24 hours or 90 days, depending on the token
type. If an SSO session token is not used within its validity period, it is considered expired and is no longer accepted.
You can use a policy to set the time after the first session token was issued beyond which the session token is no longer accepted. (To do this, use the Session Token Max Age property.) You can adjust the lifetime of a session token to control when and
how often a user is required to reenter credentials, instead of being silently authenticated, when using a web application.
Thank you. That makes sense.
So just to see if I understand correctly. If I log in to my application, without closing my browser for 24 hours. Then after 24 hours refresh my site, and my code checks Request.IsAuthenticated, it will return false?
Because right now, it doesn't seem to save IsAuthenticated, just skips the Microsoft login process when I click my "Login with Microsoft" button.
So just to see if I understand correctly. If I log in to my application, without closing my browser for 24 hours. Then after 24 hours refresh my site, and my code checks Request.IsAuthenticated, it will return false?
As far as I think,your think is right.When the site authentication cookie expires, the browser is redirected to the remote authentication server.
Best regards,
Yijing Sun
ASP.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today. Learn more >
Member
8 Points
13 Posts
How long will my user be authenticated?
Jun 24, 2020 01:46 PM|william12512512|LINK
Hello. I am authentication my users with OpenIDConnect Owin, Azure AD microsoft login.
I would like to know how long Request.IsAuthenticated with Owin Middleware will return true after a user has logged in with Microsoft.
Is this linked to the expiration time of the ID-token? If so, can I change the expiration time somehow?
All-Star
53691 Points
24031 Posts
Re: How long will my user be authenticated?
Jun 24, 2020 02:14 PM|mgebhard|LINK
Once the user authenticates with the authentication server, the browser is redirected back to your site. Your configuration sets the authentication cookie timeout and from that point on your site, not Azure AD, validates the authentication cookie.
Your login logic determines if the cookie persists or expires when the browser closes. You can can configure a sliding expiration and the ExpiretimeSpan setting in your OWIN startup configuration.
General configuration with example code.
https://docs.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-asp-webapp
Cookie options which includes the ExpiretimeSpan setting.
https://docs.microsoft.com/en-us/previous-versions/aspnet/dn385599(v%3Dvs.113)
https://docs.microsoft.com/en-us/previous-versions/aspnet/mt152258%28v%3dvs.113%29
https://forums.asp.net/t/2119940.aspx?What+is+default+timeout+value+for+CookieAuthenticationOptions+in+asp+net+core+MVC
Member
8 Points
13 Posts
Re: How long will my user be authenticated?
Jun 24, 2020 03:11 PM|william12512512|LINK
Thank you. When I try to add
to my Startup.cs above my
I try to login with microsoft. Then try refreshing my site after 5 seconds. It still keeps me authenticated however. Request.IsAuthenticated() keeps returning true.
All-Star
53691 Points
24031 Posts
Re: How long will my user be authenticated?
Jun 24, 2020 03:24 PM|mgebhard|LINK
It is typical for a remote authentication server to set a cookie as well. When the site authentication cookie expires, the browser is redirected to the remote authentication server. The remote server finds the cookie it set when the use logged in and redirect back to your site.
This would be a configuration setting on Azure AD. From the docs...https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes
Azure AD uses two kinds of SSO session tokens: persistent and nonpersistent. Persistent session tokens are stored as persistent cookies by the browser. Nonpersistent session tokens are stored as session cookies. (Session cookies are destroyed when the browser is closed.) Usually, a nonpersistent session token is stored. But, when the user selects the Keep me signed in check box during authentication, a persistent session token is stored.
Nonpersistent session tokens have a lifetime of 24 hours. Persistent tokens have a lifetime of 90 days. Anytime an SSO session token is used within its validity period, the validity period is extended another 24 hours or 90 days, depending on the token type. If an SSO session token is not used within its validity period, it is considered expired and is no longer accepted.
You can use a policy to set the time after the first session token was issued beyond which the session token is no longer accepted. (To do this, use the Session Token Max Age property.) You can adjust the lifetime of a session token to control when and how often a user is required to reenter credentials, instead of being silently authenticated, when using a web application.
Member
8 Points
13 Posts
Re: How long will my user be authenticated?
Jun 25, 2020 08:57 AM|william12512512|LINK
Thank you. That makes sense.
So just to see if I understand correctly. If I log in to my application, without closing my browser for 24 hours. Then after 24 hours refresh my site, and my code checks Request.IsAuthenticated, it will return false?
Because right now, it doesn't seem to save IsAuthenticated, just skips the Microsoft login process when I click my "Login with Microsoft" button.
Contributor
4040 Points
1568 Posts
Re: How long will my user be authenticated?
Jun 26, 2020 07:11 AM|yij sun|LINK
Hi william12512512,
As far as I think,your think is right.When the site authentication cookie expires, the browser is redirected to the remote authentication server.
Best regards,
Yijing Sun