Application Session expiration #1934 | Support Center

vlad created 8 years ago

I am trying to make sure that the session is expired after certain amount of time of inactivity. Currently, even if I restart IIS, the application keeps me logged in. I tried to change the provider for CookieAuthenticationOptions and set the expiration there (in Startup.cs):

app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/Account/Login"),
                ExpireTimeSpan = TimeSpan.FromMinutes(1),
                SlidingExpiration = true,
                Provider = new CookieAuthenticationProvider
                {
                    OnResponseSignIn = signInContext =>
                    {
                        signInContext.Properties.ExpiresUtc = DateTime.UtcNow.Add(TimeSpan.FromMinutes(15));
                    }
                }
            });

But it still doesn't make an effect. How do I to make sure the user session is expired after a timeout?

Thanks, Vlad.

1 Answer(s)

0
ismcagdas created 8 years ago
Support Team
Hi,

This is not related to ABP but AspNet. I have searched on the internet and found this issue <a class="postlink" href="https://github.com/aspnet/Security/issues/780">https://github.com/aspnet/Security/issues/780</a>.

It seems like you also need to set IssuedUtc as well.

Provider = new CookieAuthenticationProvider { OnResponseSignIn = signInContext => { signInContext.Properties.IssuedUtc = DateTime.UtcNow; signInContext.Properties.ExpiresUtc = DateTime.UtcNow.Add(TimeSpan.FromSeconds(60)); } }

Have an answer to this question? Log in and write your answer.