Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
501 views
in Technique[技术] by (71.8m points)

c# - Asp.net Identity Expire Session Cookie

We are using MVC 5.2 and the ASP.NET Identity framework for authentication with a form authentication screen (user&password combo) and identity is persisted using a cookie. I have configuration in my startup method for the Identity framework to set the expiration on the authentication cookie to 30 days, this works just fine when the user selects to 'remember me' (IsPersistent = true). When IsPersistent = false (user elects not to select 'Remember me') a Session cookie is created by default. This session cookie works great in Internet Explorer and also FireFox, when the browser is closed the cookie is lost. In Chrome and Safari (and maybe other browsers too) there are options to ensure that session cookies are not lost, in this case the user stays logged in even when the browser is closed and re-opened.

I would like a work around to ensure that session cookies are not persisted forever but are discarded within an hour. I might be able to realize this by checking if the account is not active for X minutes/hours and the user never chose for 'Remember Me' then the users identity is 'rejected' with the next request if that time span elapses.

Has anyone created a work around in their ASP.NET Identity implementation to ensure that session cookies are expired on the back end after X time or maybe there is a better way to work around this limitation? Maybe it is possible to do this using a custom implementation of the CookieAuthenticationProvider or hand an expiration date/time to the user claim which can be checked somewhere in the ValidateIdentity process?

Any ideas would be great. Thank you in advance, -Igor

Edit - more information: My authentication implementation has 2 basic "modes" (can't think of a better word at the moment). My implementation is for a simple username/password form with a checkbox 'remember me'. The checkbox value is passed to the IsPersistent property of the AuthenticationProperties object which is passed to the AuthenticationManager::SignIn method.

  1. User wants to 'remember me' which creates a long lived cookie with an expiration of 30 days set using a sliding expiration. This enables the user to stay authenticated between browser sessions and there is no time out due to inactivity with the exception of not visiting the site for longer than 30 days. The settings in my owin startup method reflect that the expiration time for the cookie is 30 days (CookieAuthenticationOptions.ExpireTimeSpan set to 30 days). This works regardless of browser platform (as far as I can tell).

  2. User does not want to 'remember me', what the expected behavior should be is a session cookie is created and when a browser is closed the session cookie is removed from the browser. This should ensure that the next time the browser is started the user is not authenticated. This is especially important when a shared device is being used like a public computer. The problem is not all browsers always delete session cookies, some leave them on purpose if a browser setting is enabled (Chrome is a good example). A session cookie does not have an expiration date/time so CookieAuthenticationOptions.ExpireTimeSpan has no affect here. This is where I am looking for advice as I am sure I can't be the first one who has come across this. There is probably a way to make this behavior more secure as the alternative is to do nothing and possibly leave a session cookie (which never expires!) on the browser.

See this link for more detail on Chrome and session cookies.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Identity already embeds expiry time in the cookie data and it is checked by OWIN.

To limit cookie life set ExpireTimeSpan to an hour in ConfigureAuth method in Startup.Auth.cs:

public void ConfigureAuth(IAppBuilder app)
{
    // other stuff
    app.UseCookieAuthentication(new CookieAuthenticationOptions
    {
        ExpireTimeSpan = TimeSpan.FromHours(1),
    });            
}

This will make sure cookies will expire in an hour.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...