Identity cookie expired for no reason even during active usage

Created on 27 Nov 2017  路  9Comments  路  Source: aspnet/Identity

My web app hosted in free azure web app has a strange issue where the user need to re-login again even during active usage

The code to login is

 signInManager.PasswordSignInAsync(username, password, rememberMe, true);

even with rememberMe being set to true, user still need to relogin

Some google said that it could be machine key issue but I don't think azure moved my free instance to anothe machine so often.

I restarted the instance for to test and the cookie still working.

image

If I look to chrome, cookie should expires when browsing session end but that is not the case.

At this stage Im not sure where to look other than it could be a bug in identity cookie implementation or its due azure free web instance

Most helpful comment

Is this intended feature?

I think what people expect is that the authentication login should be as long as

  • without rememberMe set to true, when session end
  • with rememberMe set to true, default TimeSpan of cookies expired date (default 2 weeks)

Change a user's role or remove the ability for user to login should be direct effect
It will be crazy that we need to wait 30 minutes
Now I have to set it to 2 weeks, it will be even crazier otherwise my user need to re-login every 30 minutes which is not acceptable business case

Something is not right here...

All 9 comments

Is this the reason? 30 minutes?
image

Testing again with rememberMe set to true

Expired in the next 2 weeks, lets see
image

ok identity cookie gone after 30 minutes even rememberMe being set to true

this thread say something about securityStamp
https://github.com/aspnet/Identity/issues/900

testing with this code

services.Configure<SecurityStampValidatorOptions>(options => options.ValidationInterval = TimeSpan.FromMinutes(1));

Authentication indeed gone after 1 minute! Nice new feature eh, not even in the documentation

https://github.com/aspnet/Identity/issues/999
https://github.com/aspnet/Identity/issues/1478

What is the security impact setting ValidationInterval to 2 weeks?

Just means if you were to change a user's role, or remove the ability for a particular user to login, it wouldn't take effect until after 2 weeks (i.e. the maximum time a stale cookie can be used is the validation interval).

Is this intended feature?

I think what people expect is that the authentication login should be as long as

  • without rememberMe set to true, when session end
  • with rememberMe set to true, default TimeSpan of cookies expired date (default 2 weeks)

Change a user's role or remove the ability for user to login should be direct effect
It will be crazy that we need to wait 30 minutes
Now I have to set it to 2 weeks, it will be even crazier otherwise my user need to re-login every 30 minutes which is not acceptable business case

Something is not right here...

This is intended. You can hook into the cookie middleware ValidatePrinciple event - https://docs.microsoft.com/en-us/aspnet/core/security/authentication/cookie?tabs=aspnetcore2x#reacting-to-back-end-changes

Was this page helpful?
0 / 5 - 0 ratings