Identity Cookie expiry not being respected

[siada]

Describe the bug

I'm trying to create a long-timeout cookie for Identity that will leave a user logged in for at least 30 days (should refresh after 15 days)

This is the identity+cookie configuration:

            services.ConfigureIdentity();

            services.ConfigureApplicationCookie(x =>
            {
                x.SlidingExpiration = true;
                x.ExpireTimeSpan = TimeSpan.FromDays(30);
                x.LoginPath = new PathString("/login");
            });

            services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
                .AddCookie(opt =>
                {
                    opt.SlidingExpiration = true;
                    opt.ExpireTimeSpan = TimeSpan.FromDays(30);
                    opt.LoginPath = new PathString("/login");
                    opt.Cookie.SecurePolicy = CookieSecurePolicy.None;
                    opt.Cookie.Expiration = TimeSpan.FromDays(30);
                });

What is happening is that a cookie is set with the correct expiry, but after 30 minutes the application explicitly removes the cookie on it's own:

Set-Cookie: .AspNetCore.Identity.Application=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; samesite=lax

To Reproduce

Steps to reproduce the behavior:

1. Using this version of ASP.NET Core: 2.2

Using the above samples

Expected behavior

A cookie that lasts as the very least more than 30 minutes

Screenshots

[HaoK]

That behavior is likely due to the security stamp validation that's looking for a user's security stamp within the cookie, you disable that check if you aren't using the security stamp via its options: https://github.com/aspnet/AspNetCore/blob/bfec2c14be1e65f7dd361a43950d4c848ad0cd35/src/Identity/Core/src/SecurityStampValidatorOptions.cs#L20

[siada]

That seems to have done the trick, what's the purpose of this though?

Why do we have the ability to change the cookie expiry if eventually the actual expiration is overridden by the SecurityStamp validator.

I feel like I'm missing part of the point

[blowdart]

Security stamps don't expire the cookie, but they invalidate its contents. The stamp is updated when information in the user profile is changed that could affect the UI or authorization (e.g. a new claim is added).

[siada]

To the best of my knowledge nothing is being changed during that time period, the only information that gets periodically updated is FullName (not an identity property) and IsDeleted (again, not identity)

So I don't know what is causing the security stamp to be changed, is there any way to track this down?

[arisliang]

I also encounter similar issue where security stamp validator affects the cookie expiry time. There is nothing changed in the user, because I set the ValidationInterval to 0 or a few seconds, and every time a simple request would cause the auth cookie expiry time extended.

Keep extending the cookie expiry is a security issue. Disable ValidationInterval would introduce another security issue.

To my understanding of the documentation, when it validates true, it does nothing; if validates false, it signout the user. But why does security stamp validator extend cookie expiry time?

Understanding the symptom looks different, although I feel the underlying issue might be the same. I opened another ticket at #13117.

[ghost]

Thank you for contacting us. Due to a lack of activity on this discussion issue we're closing it in an effort to keep our backlog clean. If you believe there is a concern related to the ASP.NET Core framework, which hasn't been addressed yet, please file a new issue.

This issue will be locked after 30 more days of inactivity. If you still wish to discuss this subject after then, please create a new issue!