2

I created a new ASP.NET MVC website using ASP.NET Identity. I'm using the standard logic generated by Visual Studio 2017, and I selected Individual User Accounts.

Everything works fine except that it seems to log me out within about 10 - 20 minutes of inactivity, and I'd like to stay logged in for longer than that.

After Googling around, I found information about setting CookieAuthenticationOptions.ExpireTimeSpan. However, using the debugger, I can see that this value is set to 14 days by default.

Startup.Auth.cs:

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    LoginPath = new PathString("/Account/Login"),
    Provider = new CookieAuthenticationProvider
    {
        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
            validateInterval: TimeSpan.FromMinutes(30),
            regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
    },
    //SlidingExpiration = true,               // Default: true
    //ExpireTimeSpan = TimeSpan.FromHours(1)  // Default: 14 days
});

Web.Config:

<system.web>
  <authentication mode="None" />
  <compilation debug="true" targetFramework="4.6" />
  <httpRuntime targetFramework="4.5.2" executionTimeout="240" maxRequestLength="20480" />
  <httpModules>
    <add name="ApplicationInsightsWebTracking" type="Microsoft.ApplicationInsights.Web.ApplicationInsightsHttpModule, Microsoft.AI.Web" />
  </httpModules>
  <customErrors mode="Off"></customErrors>
</system.web>
<system.webServer>
  <modules>
    <remove name="FormsAuthentication" />
    <remove name="ApplicationInsightsWebTracking" />
    <add name="ApplicationInsightsWebTracking" type="Microsoft.ApplicationInsights.Web.ApplicationInsightsHttpModule, Microsoft.AI.Web" preCondition="managedHandler" />
  </modules>
  <validation validateIntegratedModeConfiguration="false" />
<security>
  <requestFiltering>
      <requestLimits maxAllowedContentLength="20971520" />
    </requestFiltering>
  </security>
</system.webServer>

So, does anyone know how to increase the amount of time before I get logged out due to inactivity?

Jonathan Wood
  • 65,341
  • 71
  • 269
  • 466

2 Answers2

1

Did you Login with the isPersistent flag?

SignInManager.PasswordSignInAsync(string userName, string password, bool isPersistent, bool shouldLockout)

You need to pass isPersistent = true to automatically login again with the cookie data.

Your Identity will be refreshed in SecurityStampValidator.OnValidateIdentity if you get rejected here then it will log you out.

I'd recommend to implement your own SecurityStampValidator and UserManager, then you can debug why it rejects you in OnValidateIdentity.

Also check your caching, maybe you just have an caching issue and it just looks like you logged out because you're showing some "old" content.

  • I believe this flag corresponds to the *Remember me* check box. And yes, I've tried checking that. – Jonathan Wood Aug 25 '17 at 16:55
  • what happens if you set the "validateInterval:" to a few seconds? does it log you out after that time? –  Aug 25 '17 at 16:59
  • It does not. Let me make sure I understand though: When you create an MVC app with Visual Studio 2017 using the *Individual User Accounts* setting, are you saying you can leave the computer inactive for, say, an hour or more, and when you refresh the page or click something you are still logged in? – Jonathan Wood Aug 25 '17 at 17:03
  • The expected behavior is: your sessions get thrown away by the server after the session timeout period. Which is 20 min by default. SecurityStampValidator.OnValidateIdentity() will refresh / create a new session as long as your cookie is valid. If you wanna kick a user out, you can update the SecurityStamp of the user. Then it wont match the users Cookie/ClaimsIdentity SecurityStamp and he will be kicked out the next time OnValidateIdentity() runs. –  Aug 25 '17 at 17:49
  • But yes to answer your Question: You will be logged in as long as your cookie is valid. I'm usually still logged in when i continue my work after a few days. Maybe you can create a new project, see if it works as expected and then compare the two projects. Have you checked in the browser how long the cookies are valid, also try different browsers. –  Aug 25 '17 at 18:30
0

This is configured on web.config file as follows

<system.web>
    <authentication mode="Forms">
     <forms loginUrl="~/SignIn/LoginPage" timeout="2880" defaultUrl="~/Pages/ServicesPage" />
    </authentication>

the timeout time is defined on the property timeout in miliseconds

Luiz Paulo
  • 401
  • 6
  • 14
  • 3
    Thanks, but Forms Authentication is the old way and ASP.NET Identity is the new way. Surely, the only answer can't be that I must do things the old way. – Jonathan Wood Aug 25 '17 at 16:40