New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remember me isPersistent understanding #2079

Closed
LindaLawton opened this Issue Nov 21, 2018 · 0 comments

Comments

Projects
None yet
1 participant
@LindaLawton

LindaLawton commented Nov 21, 2018

This is more of a question but its not enough of a question that i could post it up on stack overflow without risking it just getting closed as primary opinion based or to broad. So i am going to put it here in hopes of getting an answer.

The issue is the understanding of how remember me is supposed to work. My problem is that its not doing what we would expect it to do.

Management expects when a user logs in and clicks remember me that they will then not be required to type their login and password again for a month. Whether or not they will still have to type in the 2fa code is up for debate.

What is actually happening is that i can close the browser reboot and come back for about an hour and 15 minutes and then i will be forced to type my password again. This still happens even with a valid .AspNetCore.Identity.Application cookie set that is not due to expire for another month.

After digging around in the code i found that Remember me is actually isPersistent and it is defined as.

Flag indicating whether the sign-in cookie should persist after the browser is closed.

Which brings you to:

There are two different types of Cookies:

  • session cookies, held in memory, and which expire once the browser exits
  • persistent cookies, which have a time-to-live, are persisted on disk, and are sent by the browser until their time-to-live has elapsed.

All this being said remember machine 2fa works as expected i am not prompted again for the 2fa and i have a cookie on my machine Identity.TwoFactorRememberMe.

So I guess my question is why are we not getting a Identity.FactorRememberMe or why isn't sign in respecting a long life time of the AspNetCore.Identity.Application cookie?

How is this supposed to work exactly? I am following the code here even though we have normal MVC and not razor pages like you have in the example. I am still just calling

var signInUserResult = await _signInManager.PasswordSignInAsync(userName, password, rememberMe, true);

Note: I am using Asp .net Identity in Identity server 4 application.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment