Last post Sep 15, 2020 09:45 PM by bruce (sqlwork.com)
Sep 15, 2020 08:50 PM|Mayurib|LINK
I have developed Asp.Net MVC application with Azure Active Directory authentication for application users. What is the default AAD Authentication session timeout? and How can I increase it so that user can stay logged in to the application for longer time?
The application contains one form with lot of input fields on it and when user tries to fill all fields and after 1-2 hours if they try to save data. Timeout occurs and all data gets lost. How can I handle this by increase user session/application session.
I have already set sessiontime out in web.config file. and also set ExpireTimeSpan = TimeSpan.FromHours(5.0) and
false in authentication configurations in startup.auth.cs file. But still its not working. Am I missing anything? How do we configure RefreshTokens? Do I need to do any configurations
at AD level?
Sep 15, 2020 09:45 PM|bruce (sqlwork.com)|LINK
its more complicated. the AD login is independent from your site.
your site has an authentication cookie. when it expires, your site redirects to the AD site (which has its own cookie). if the AD cookie is expired the user logins again. once logged in to AD site via the cookie or login, the AD site redirects back to your
site with a query string token. Your site verifies the token and creates a new Authentication cookie, and redirects back to the original page.
you control how long your sites cookie lasts before expiring. the azure AD administrator control how long the AD cookie lasts.
the rules are different for Jwt tokens. the AD site gives an access token for your site (good for an hour by default) and optional refresh token (72 hours to 90 days). if you have a refresh token you can get a new access token. Jwt token are used for webapi,
not web pages as browsers don't support them.
asp.net session is different from authentication. it has its own cookie and expiration. also if inproc session, its lost on an idle timeout no matter the cookie timeout.