Azure AD session expires after one hour

[DineshMuralitharan]

I have used Azure AD login using openid connect authentication in my website. The session expires every one hour, and the user is logged out. I saw a solution in the below link to use

UseTokenLifetime = false

#147

Will this fix my issue? or is there any other way to increase expiration time of the session?

[Tratcher]

Yes, you should use that option. Did you try it?

[DineshMuralitharan]

yes i tried it.

Please find the following cases,

1. When i navigate between the pages, everything works fine.
2. When i work on the same page for 1 hour or leave the page idle , then the session is expired and redirects me back to my login page.

This is the code i have used,

> public void ConfigureAuth(IAppBuilder app)
>         {
>             app.UseKentorOwinCookieSaver();
>             app.UseCookieAuthentication(new CookieAuthenticationOptions());
>             app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
>             app.UseOpenIdConnectAuthentication(
>                 new OpenIdConnectAuthenticationOptions
>                 {
>                     ClientId = clientId,
>                     Authority = authority,
>                     PostLogoutRedirectUri = postLogoutRedirectUri,
>                     RedirectUri = postLogoutRedirectUri,
>                     UseTokenLifetime = false,
>                     Notifications = new OpenIdConnectAuthenticationNotifications
>                     {
>                         AuthenticationFailed = context =>
>                         {
>                             if (context.Exception.Message.StartsWith("OICE_20004") || context.Exception.Message.Contains("IDX10311"))
>                             {
>                                 context.SkipToNextMiddleware();
>                                 context.Response.Redirect("/dashboard");
>                                 return Task.FromResult(0);
>                             }
>                             return Task.FromResult(0);
>                         }
>                     }
>                 });
>         }

[Tratcher]

Oh, you're using the old Microsoft.Owin stack. That shouldn't change the expected behavior. When you're active you benifit from CookieAuth's default SlidingExpiration option (

Security/src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationOptions.cs

Lines 92 to 96 in 2d7cd60

	/// <summary>
	/// The SlidingExpiration is set to true to instruct the middleware to re-issue a new cookie with a new
	/// expiration time any time it processes a request which is more than halfway through the expiration window.
	/// </summary>
	public bool SlidingExpiration { get; set; }

). However disabling UseTokenLifetime should extend you to CookeAuth's default lifetime of 14 days.

What does your Set-Cookie header look like?

As a side note, I do not recommend UseKentorOwinCookieSaver. See https://github.com/aspnet/AspNetKatana/wiki/System.Web-response-cookie-integration-issues#workarounds and aspnet/AspNetKatana@49b78c0

[DineshMuralitharan]

As a side note, I do not recommend UseKentorOwinCookieSaver - Thanks for letting me know. i will consider this.