.Net Core Identity application cookie is being deleted after 30 minutes while cookie's age is 30 days

[hukumrat]

Hello,
I use .net core identity for authentication and authorization in my project. I set .AspNetCore.Identity.Application cookie's expiration date after 30 days in controller:

var checkPasswordResult =
    await _signInManager.CheckPasswordSignInAsync(user, model.Password, lockoutOnFailure: true);

if (checkPasswordResult.Succeeded)
{
    var authenticationProperties = new AuthenticationProperties();

    if (model.RememberMe)
    {
        authenticationProperties.IsPersistent = true;
        authenticationProperties.ExpiresUtc = DateTimeOffset.UtcNow.AddDays(30);
        authenticationProperties.AllowRefresh = true;
    }

    await _signInManager.SignInAsync(user, authenticationProperties);
}

And my Startup:

services.AddAuthentication(IdentityConstants.ApplicationScheme)
        .AddCookie(options =>
        {
            options.LoginPath = "/Account/LogIn";
            options.LogoutPath = "/Account/LogOut";
            options.AccessDeniedPath = "/Account/AccessDenied";
            options.ExpireTimeSpan = TimeSpan.FromDays(30);
            options.SlidingExpiration = true;
        });

After login I can see it is set correctly:

Somehow, when I close browser and open it after 30 minutes, .AspNetCore.Identity.Application cookie is being deleted. I checked it in my local in production environment and I saw that cookie is not being deleted.

I don't have any custom middleware which will effect this cookie and I don't have any custom configuration which will delete any cookie after any minutes in server.

[Tratcher]

authenticationProperties.ExpiresUtc = DateTimeOffset.UtcNow.AddDays(30);

This line shouldn't be needed, options.ExpireTimeSpan = TimeSpan.FromDays(30); already covers that.

Somehow, when I close browser and open it after 30 minutes, .AspNetCore.Identity.Application cookie is being deleted.

If you run Fiddler or the browser networking tools when you first re-open the browser and return to the app, is the cookie sent on that first request?

[hukumrat]

authenticationProperties.ExpiresUtc = DateTimeOffset.UtcNow.AddDays(30);

This line shouldn't be needed, options.ExpireTimeSpan = TimeSpan.FromDays(30); already covers that.

I was using PasswordSignInAsync and it creates new AuthenticationProperties so PasswordSignInAsync overrides Startup configuration. That's why, just in case, I added authenticationProperties.ExpiresUtc = DateTimeOffset.UtcNow.AddDays(30); line. Thanks a lot for your precious suggestion.

Somehow, when I close browser and open it after 30 minutes, .AspNetCore.Identity.Application cookie is being deleted.

If you run Fiddler or the browser networking tools when you first re-open the browser and return to the app, is the cookie sent on that first request?

Unfortunately. Cookie is deleted on first re-open request (after 30+ minutes).
I created a endpoint to test it.
I send cookie value to this endpoint and it unprotect cookie value. Convert it to AuthenticationTicket and serialize to json.

public class DataProtectorController : Controller
{
    private readonly TicketDataFormat _ticketDataFormat;

    public DataProtectorController(IDataProtectionProvider provider)
    {
        var protector =
            provider.CreateProtector("Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware",
                "Identity.Application", "v2");
        _ticketDataFormat = new TicketDataFormat(protector);
    }

    [HttpGet]
    public IActionResult Unprotect(string data)
    {
        var unProtectedData = _ticketDataFormat.Unprotect(data);

        var jsonData = SerializeAuthenticationTicket(unProtectedData);

        return Content(jsonData, "application/json");
    }
}

I used these steps while I test cookie value with unprotect endpoint:

• I logged in.
• .AspNetCore.Identity.Application cookie is created with 30 days max-age and I stored cookie value.
• I closed the browser.
• Opened browser and return the app after 30+ minutes.
• When I check networking tools I saw that .AspNetCore.Identity.Application cookie is deleted and app redirected me to login page.
• I called /unprotect endpoint to check if stored cookie value is dead or alive.
• The json output says that isAuthenticated: true and expire date is after 30 days from today. So cookie is alive but it is deleted by server. Because when I do these same steps on my local, cookie isn't deleted and I can load app successfully after 30+ minutes.
• And lastly if I add cookie manually and refresh page I get Site Under Construction either local and live server.

I suspect of IIS Server configurations of server. Is there any IIS configuration which delete identity cookie for security or sth. else?

[Tratcher]

The json output says that isAuthenticated: true and expire date is after 30 days from today. So cookie is alive but it is deleted by server. Because when I do these same steps on my local, cookie isn't deleted and I can load app successfully after 30+ minutes.

What does that delete look like, `Set-Cookie: .AspNetCore.Identity.Application=; Expires=(in the past)"?

[hukumrat]

The json output says that isAuthenticated: true and expire date is after 30 days from today. So cookie is alive but it is deleted by server. Because when I do these same steps on my local, cookie isn't deleted and I can load app successfully after 30+ minutes.

What does that delete look like, `Set-Cookie: .AspNetCore.Identity.Application=; Expires=(in the past)"?

Cookie is just be deleted. Not set expire in the past.
I can see cookie after log in and then after re-open browser after 30+ minutes cookie doesn't exist. Other all cookies aren't be deleted but just .AspNetCore.Identity.Application cookie is deleted.

[Tratcher]

That's the client deleting it then, not the server. The server can only delete a cookie via a Set-Cookie header like the one I showed.

[hukumrat]

That's the client deleting it then, not the server. The server can only delete a cookie via a Set-Cookie header like the one I showed.

Well, where can client delete it? Because same client on my local but it doesn't delete cookie. What can be differences on local and server?
Btw: I tried it on local in either production and development environment. Same result. Doesn't delete cookie.

Thank you for filing this issue. In order for us to investigate this issue, please provide a minimalistic repro project that illustrates the problem.

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment. If it is closed, feel free to comment when you are able to provide the additional information and we will re-investigate.

See our Issue Management Policies for more information.