New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Identity Cookie expiry not being respected #12233
Comments
That behavior is likely due to the security stamp validation that's looking for a user's security stamp within the cookie, you disable that check if you aren't using the security stamp via its options: https://github.com/aspnet/AspNetCore/blob/bfec2c14be1e65f7dd361a43950d4c848ad0cd35/src/Identity/Core/src/SecurityStampValidatorOptions.cs#L20 |
That seems to have done the trick, what's the purpose of this though? Why do we have the ability to change the cookie expiry if eventually the actual expiration is overridden by the SecurityStamp validator. I feel like I'm missing part of the point |
Security stamps don't expire the cookie, but they invalidate its contents. The stamp is updated when information in the user profile is changed that could affect the UI or authorization (e.g. a new claim is added). |
To the best of my knowledge nothing is being changed during that time period, the only information that gets periodically updated is FullName (not an identity property) and IsDeleted (again, not identity) So I don't know what is causing the security stamp to be changed, is there any way to track this down? |
I also encounter similar issue where security stamp validator affects the cookie expiry time. There is nothing changed in the user, because I set the ValidationInterval to 0 or a few seconds, and every time a simple request would cause the auth cookie expiry time extended. Keep extending the cookie expiry is a security issue. Disable ValidationInterval would introduce another security issue. To my understanding of the documentation, when it validates true, it does nothing; if validates false, it signout the user. But why does security stamp validator extend cookie expiry time? Understanding the symptom looks different, although I feel the underlying issue might be the same. I opened another ticket at #13117. |
Thank you for contacting us. Due to a lack of activity on this discussion issue we're closing it in an effort to keep our backlog clean. If you believe there is a concern related to the ASP.NET Core framework, which hasn't been addressed yet, please file a new issue. This issue will be locked after 30 more days of inactivity. If you still wish to discuss this subject after then, please create a new issue! |
Describe the bug
I'm trying to create a long-timeout cookie for Identity that will leave a user logged in for at least 30 days (should refresh after 15 days)
This is the identity+cookie configuration:
What is happening is that a cookie is set with the correct expiry, but after 30 minutes the application explicitly removes the cookie on it's own:
To Reproduce
Steps to reproduce the behavior:
Using the above samples
Expected behavior
A cookie that lasts as the very least more than 30 minutes
Screenshots
The text was updated successfully, but these errors were encountered: