.NET Core 2 CookieAuthentication ignores expiration time span
I'm working on a .NET Core 2.1 Web application with CookieAuthentication. For some reason setting the ExpireTimeSpan and Cookie.Expiration on the CookieAuthenticationOptions object doesn't have an effect on the Cookie lifetime. Chrome always displays the same expiration date of 1969-12-31T23:59:59.000Z. So after closing the browser window the cookie is gone.
Startup.cs
public void ConfigureServices(IServiceCollection services)
{
services.AddDistributedMemoryCache();
services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie(options =>
{
options.LoginPath = new PathString("/Account/Login/");
options.AccessDeniedPath = new PathString("/Account/Login/");
options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest;
options.Cookie.Expiration = TimeSpan.FromDays(14);
options.ExpireTimeSpan = TimeSpan.FromDays(14);
});
services.AddMvc(options =>
{
options.Filters.Add(new AutoValidateAntiforgeryTokenAttribute());
});
services.AddAntiforgery(options => options.HeaderName = "X-CSRF-TOKEN");
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseBrowserLink();
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Error");
}
var provider = new FileExtensionContentTypeProvider();
provider.Mappings[".tag"] = "riot/tag";
app.UseStaticFiles(new StaticFileOptions()
{
ContentTypeProvider = provider
});
app.UseAuthentication();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
}
On SignIn I'm using this code
ClaimsPrincipal user = new ClaimsPrincipal(new ClaimsIdentity(new[] { new Claim(ClaimTypes.Name, userId.Value.ToString()) }, CookieAuthenticationDefaults.AuthenticationScheme));
await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, user);
I've tried putting services.AddMvc before services.AddAuthentication but it doesn't make a difference. I've also tried services.ConfigureApplicationCookie after services.AddAuthentication like in this answer Cookie expiry in ASP.NET Core 2.0 with Identity
What am I missing?
Answer
The expiration date in Chrome represents the lifetime of the cookie in the browser not the timeout of the token. When using Identity Server 4 with ASP.NET Identity it is the cookie timeout of the Identity Server that comes into play here. After the client token expires the user is re-authenticated against Identity Server and since that token has not expired the client token is renewed. To set the expiration time on the Identity Server you must add the ConfigureApplicationCookiemiddleware in the Identity Server Startup.cs as follows:
services.AddAuthentication();
services.ConfigureApplicationCookie(options =>
{
options.Cookie.Expiration = TimeSpan.FromDays(14);
options.ExpireTimeSpan = TimeSpan.FromDays(14);
options.SlidingExpiration = false;
});
services.AddMvc().SetCompatibilityVersion(Microsoft.AspNetCore.Mvc.CompatibilityVersion.Version_2_1);
Update for .net core 3.1 (cooke.expiration no longer required as a separate option):
services.AddAuthentication();
services.ConfigureApplicationCookie(options =>
{
options.ExpireTimeSpan = TimeSpan.FromDays(14);
options.SlidingExpiration = false;
});
services.AddMvc();