Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dotnet Core cookies are getting expired within 5 minutes with WSFederation and SSO #9407

Closed
sankp opened this Issue Apr 16, 2019 · 5 comments

Comments

Projects
None yet
3 participants
@sankp
Copy link

sankp commented Apr 16, 2019

Hi,

I have aspnet core 2.2 mvc application which is also using web api. I am using WSFederation Security with SSO. Login and Cookies are working fine with this but after 5 mins my cookies are getting expired somehow and my web api calls turns into 302 response because SSO redirects.
How can I make my cookie valid for longer period of time. I have tried different options available but nothing seem to be working.

Here is my code.

`services.Configure(options =>
{
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.None;
});

            services.AddAuthentication(sharedOptions =>
            {
                sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                sharedOptions.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                sharedOptions.DefaultChallengeScheme = WsFederationDefaults.AuthenticationScheme;
            })

            .AddWsFederation(options =>
            {
                // Set the Metadata Address
                options.MetadataAddress = requestUri.AbsoluteUri;
                // Set the WS-Federation realm.
                options.Wtrealm = pingFederateSettings.Wtrealm;
            })

            .AddCookie(p =>
            {
                p.SlidingExpiration = true;
                p.Events.OnSigningIn = (context) =>
                {
                    context.CookieOptions.Expires = DateTimeOffset.UtcNow.AddDays(30);
                    return Task.CompletedTask;
                };
                p.Events.OnRedirectToAccessDenied = (context) =>
                {                        
                    return Task.CompletedTask;
                };                    
                p.Events.OnValidatePrincipal = (context) =>
                {
                    return Task.CompletedTask;
                };
            });

`

@blowdart

This comment has been minimized.

Copy link
Member

blowdart commented Apr 16, 2019

You can't use SlidingExpiration with an expiry date on the cookie. It's either/or.

@Tratcher

This comment has been minimized.

Copy link
Member

Tratcher commented Apr 16, 2019

The default is 14 days, sliding. You shouldn't need to do anything else.

ExpireTimeSpan = TimeSpan.FromDays(14);
ReturnUrlParameter = CookieAuthenticationDefaults.ReturnUrlParameter;
SlidingExpiration = true;

Start by removing OnSigningIn.

WsFederation does have UseTokenLifetime=true by default. Do your WsFed tokens have a 5 min expiration? Try disabling UseTokenLifetime.

public bool UseTokenLifetime { get; set; } = true;

@sankp

This comment has been minimized.

Copy link
Author

sankp commented Apr 17, 2019

Thanks @Tratcher UseTokenLifetime = false worked. Cookies are not getting expire now. However I can override ExpireTimeSpan to any TimeSpan right ? which will become actual expiration TimeSpan of the cookie.

@Tratcher

This comment has been minimized.

Copy link
Member

Tratcher commented Apr 17, 2019

Yes you can set ExpireTimeSpan. Note that value is primarily embedded inside the cookie and used by the server for verification. We don't set the normal cookie expiration value you'd see in the browser debugger tool sunless you set the "Remember Me" (IsPersistent) option for persisting cookies beyond this browser session.

@sankp

This comment has been minimized.

Copy link
Author

sankp commented Apr 18, 2019

Thanks @Tratcher for your help. We don't provide login or logout functionality. It's all handled by SSO site. so I am good for now.

@sankp sankp closed this Apr 18, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.