c# - Session logged out too soon

Question

I'm using ASP.NET Core 2.1 with Microsoft Identity and users are complaining that they keep getting redirected to the login screen after only around 30 minutes of inactivity. I've set it up with 60 minutes in the ExpireTimeSpan, but it's never lasting anywhere near that long. Any suggestions?

This is what I have in the Startup.cs file:

public void ConfigureServices(IServiceCollection services)
{
    services.AddScoped<IRFDbRepository, RFDbRepository>();
    var connection = _configuration.GetConnectionString("RFDbConnection");
    services.Configure<ConnectionStrings>(_configuration.GetSection("ConnectionStrings"));
    services.AddDbContext<IdentityDbContext>(options => options.UseSqlServer(connection));
    services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1).AddRazorPagesOptions(options =>
    {
        options.AllowAreas = true;
        options.Conventions.AuthorizeAreaPage("Identity", "/Account/Logout");
    });

    services.AddIdentity<User, UserRole>().AddDefaultTokenProviders();
    services.AddTransient<IUserStore<User>, UserStore>();
    services.AddTransient<IRoleStore<UserRole>, RoleStore>();

    services.ConfigureApplicationCookie(options =>
    {
        options.LoginPath = "/Identity/Account/Login";
        options.LogoutPath = "/Identity/Account/Logout";
        options.ExpireTimeSpan = TimeSpan.FromMinutes(60);
        options.SlidingExpiration = true;
    });
}

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory, IRFDbRepository rFDbRepository)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }
    else
    {
        app.UseExceptionHandler("/Home/Error");
    }

    loggerFactory.AddFile(_configuration.GetValue<string>("Logging:LogFile"));
    app.UseStaticFiles();

    app.UseAuthentication();

    app.UseMvc(routes =>
    {
        routes.MapRoute(
            name: "default",
            template: "{controller=Home}/{action=Index}/{id?}");
        routes.MapRoute(
            name: "ActionApi",
            template: "api/{controller}/{action}/{id?}");
    });
}

Answer 1

I've finally found the root of this problem.

There is an issue with Identity in ASP.NET Core 2.1 whereby if you have implemented your own version of the UserStore but not IUserSecurityStampStore, most functionality regarding security stamps will be skipped.

When you call AddIdentity() it does a validation check on the securityStamp every 30 minutes.

This results in the confusing behaviour that the user is logged out after 30 minutes, even though the cookies did not expire.

There is a fix for this coming in ASP.NET Core 2.2 apparently, further details here

https://github.com/aspnet/Identity/issues/1880

In the meantime, you can either get your UserStore to implement IUserSecurityStampStore, or do what I did as a quick fix for now, by adding this to your startup.cs which increases the time between failures from 30 minutes to 10 hours.

services.Configure(o => o.ValidationInterval = TimeSpan.FromHours(10));