Base solution for your next web application
Ends in:
01 DAYS
01 HRS
01 MIN
01 SEC
Open Closed

Application Session expiration #1934


User avatar
0
vlad created

I am trying to make sure that the session is expired after certain amount of time of inactivity. Currently, even if I restart IIS, the application keeps me logged in. I tried to change the provider for CookieAuthenticationOptions and set the expiration there (in Startup.cs):

app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/Account/Login"),
                ExpireTimeSpan = TimeSpan.FromMinutes(1),
                SlidingExpiration = true,
                Provider = new CookieAuthenticationProvider
                {
                    OnResponseSignIn = signInContext =>
                    {
                        signInContext.Properties.ExpiresUtc = DateTime.UtcNow.Add(TimeSpan.FromMinutes(15));
                    }
                }
            });

But it still doesn't make an effect. How do I to make sure the user session is expired after a timeout?

Thanks, Vlad.


1 Answer(s)
  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    This is not related to ABP but AspNet. I have searched on the internet and found this issue <a class="postlink" href="https://github.com/aspnet/Security/issues/780">https://github.com/aspnet/Security/issues/780</a>.

    It seems like you also need to set IssuedUtc as well.

    Provider = new CookieAuthenticationProvider
    {
        OnResponseSignIn = signInContext =>
        {
            signInContext.Properties.IssuedUtc = DateTime.UtcNow;
            signInContext.Properties.ExpiresUtc = DateTime.UtcNow.Add(TimeSpan.FromSeconds(60));
        }
    }