Update CookieAuthenticationOptions comments

[tndata]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

Correct the currently incorrect comments in the source code for the Cookie Handler.

In this file:
src/Security/Authentication/Cookies/src/CookieAuthenticationOptions.cs

It says:

    /// <summary>
    /// <para>
    /// Controls how much time the authentication ticket stored in the cookie will remain valid from the point it is created.
    /// The expiration information is stored in the protected cookie ticket. Because of that an expired cookie will be ignored
    /// even if it is passed to the server after the browser should have purged it.
    /// </para>
    /// <para>
    /// This is separate from the value of <see cref="CookieOptions.Expires"/>, which specifies
    /// how long the browser will keep the cookie.
    /// </para>
    /// </summary>
    public TimeSpan ExpireTimeSpan { get; set; }

It mentions that I can use the CookieOptions.Expires, however, when we try it, it throws an exception:

OptionsValidationException: Cookie.Expiration is ignored, use ExpireTimeSpan instead.`

builder.Services.AddOptions<CookieAuthenticationOptions>(authenticationScheme).Validate(o => o.Cookie.Expiration == null, "Cookie.Expiration is ignored, use ExpireTimeSpan instead.");

Expected Behavior

This is fine, but i wish the comments in the CookieAuthenticationOptions was updated to better reflect the reality and if you want to control the cookie lifetime separately, you have the MaxAge option to use instead?
or are there a better option if I want to set the cookie expire time separately?

Steps To Reproduce

No response

Exceptions (if any)

No response

.NET Version

No response

Anything else?

No response

[MihuBot]

I'm a bot. Here are possible related and/or duplicate issues (I may be wrong):

• Clarify behavior of CookieAuthenticationOptions.Cookie.Expiration #4671
• API comments for CookieAuthenticationOptions.Cookie Property problems #15182

[MackinnonBuck]

We should clarify the XML docs to remove this remark and instead state that this property should be used instead of CookieOptions.Expires.

In CookieAuthenticationHandler, we override CookieOptions.Expires anyway based on the value specified in CookieAuthenticationOptions.ExpireTimeSpan.

[halter73]

or are there a better option if I want to set the cookie expire time separately?

We're working to update the docs to clarify that ExpireTimeSpan controls both the expiration stored in the encrypted cookie and the expiration sent to the browser in the Set-Cookie header.

Is there any reason you want to configure the browser cookie lifetime separately? I don't think we easily allow that today, and I think that's probably for the best, because sending the browser a cookie expiration different than what's stored in the encrypted cookie seems like a sure sign of misconfiguration. I'm not sure why you'd ever want these to be different.