Cookie expiration time configured in ConfigureApplicationCookie ignored by Identity

[B-Esmaili]

Here is my configuration for identity cookie :

services.ConfigureApplicationCookie(cfg =>
            {
                cfg.Cookie.Name = "application_ms_state";
                cfg.Cookie.Expiration = TimeSpan.FromDays(15);
                cfg.SlidingExpiration = true;
            });

as you can see cookies is generated for 15 days but it expires in almost half an hour.could anyone clarify what is problem with my configuration?

[VahidN]

Have you configured your server to store the cookie decryption keys permanently? if not, whenever the server restarts or the app pool restarts, your users will have to login again.
More info

[B-Esmaili]

I went through the documentation and did as mentioned but still i get logged out after 30minutes.

[natemcmaster]

Can you try changing your code to this?

cfg.ExpireTimeSpan = TimeSpan.FromDays(15);

As mentioned in the xmldocs, Cookie.Expiration is ignored on CookieAuthenticationOptions.

https://github.com/aspnet/Security/blob/a53bf093a7d86b35e019c80515c92d7626982325/src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationOptions.cs#L62

Possible duplicate of https://github.com/aspnet/Security/issues/1293

[B-Esmaili]

I have done this as well but no luck.@natemcmaster could you give me a reference to code which checks for ticked expiration?

[B-Esmaili]

I found the location in which check for expiration is done and figured out that the problem is ,identity checks every 30 minutes (by default, its configurable) to see if issued authentication ticked is valid, consequently it checks to see if the class which is implementing UserStore<> is implementing IUserSecurityStampStore (UserManager.SupportsUserSecurityStamp in following code) for that matter.

Identity/src/Microsoft.AspNetCore.Identity/SignInManager.cs

Line 223 in eb3ff7f

if (user != null && UserManager.SupportsUserSecurityStamp)

and following is getter of SupportsUserSecurityStamp

Identity/src/Microsoft.Extensions.Identity.Core/UserManager.cs

Line 248 in e36e681

return Store is IUserSecurityStampStore<TUser>;

As my MembershipService class which is implementing IUserStroe does not implement IUserSecurityStampStore<> thus after 30 min interval i end up with invalid security stamp and a null principal which == SignOut. this was my bad story.
You can close this issue as my problem is resolved.

[natemcmaster]

Ok, thanks for letting us know @B-Esmaili. We'll use aspnet/Security#1293 for further follow up on the Cookie.Expiration vs ExpireTimeSpan discussion.

[tiljanssen]

I had the same problem. It took me quite some time to find out the cause.

Shouldn't addIdentity() check whether the securityStampValidatorStore is supported, and if not, either throw or skip the registration of the validation?

[HaoK]

Sure that's a reasonable suggestion, can you file a new issue asking for that improvement? its something we can consider for 2.2 as it would be very cheap @tiljanssen

[aguayUmbt]

I would like to extend my authentication duration to 1 day, but from what I've understood, it's logging out after 30minutes. If I set it to 1 minutes, it actually work.
I've consulted many topics regarding this matter but couldn't find an answer I could understand. Please help me with this, thanks.