All geek questions in one place

ASP.NET Core 1.0 - MVC 6 - Cookie Duration

UPDATE:

This is definitely not a bug in RC1. Cookie settings work with UserManager by default and UserStore, so it should be something related to my UserManager / UserStore, which I controlled. I mainly use the implementation here: https://github.com/jesblit/ASPNET5-FormAuthenticationLDAP

Original post:

I have a problem with persistent inputs. No matter how I set the cookie, after 30 minutes the user will automatically log out (no matter how much the user interacts with the application).

I configure my application with

public void ConfigureServices(IServiceCollection services) { services.AddCaching(); services.AddSession(options => { options.IdleTimeout = TimeSpan.FromDays(1); options.CookieName = ".MySessionCookieName"; }); services.AddEntityFramework() .AddNpgsql() .AddDbContext<Model1>(options => options.UseNpgsql(Configuration["Data:DefaultConnection:ConnectionString"])); services.AddIdentity<MinervaUser, MinervaRole>(options => { options.Cookies.ApplicationCookie.ExpireTimeSpan = TimeSpan.FromDays(1); options.Cookies.ApplicationCookie.SlidingExpiration = true; options.Cookies.ApplicationCookie.AutomaticAuthenticate = true; }) .AddUserStore<MinervaUserStore<MinervaUser>>() .AddRoleStore<MinervaRoleStore<MinervaRole>>() .AddUserManager<MinervaUserManager>(); services.AddMvc(); }

and

  public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory) { loggerFactory.AddConsole(Configuration.GetSection("Logging")); loggerFactory.AddDebug(); if (env.IsDevelopment()) { app.UseBrowserLink(); app.UseDeveloperExceptionPage(); app.UseDatabaseErrorPage(); } else { app.UseExceptionHandler("/Home/Error"); try { using (var serviceScope = app.ApplicationServices.GetRequiredService<IServiceScopeFactory>() .CreateScope()) { } } catch { } } app.UseIISPlatformHandler(options => { options.AuthenticationDescriptions.Clear(); options.AutomaticAuthentication = true; }); app.UseSession(); app.UseIdentity(); app.UseStaticFiles(); app.UseMvc(routes => { routes.MapRoute( name: "default", template: "{controller=Home}/{action=Index}/{id?}"); }); }

Login Action:

  [HttpPost] [AllowAnonymous] [ValidateAntiForgeryToken] public async Task<IActionResult> Login(LoginViewModel model, string returnUrl = null) { ViewData["ReturnUrl"] = returnUrl; if (ModelState.IsValid) { var result = await _signInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, lockoutOnFailure: false); if (result.Succeeded) { _logger.LogInformation(1, "User logged in."); return RedirectToLocal(returnUrl); } ...

I use the default SignInManager. As said, the expiration timeouts that I set in Startup.Configure and Startup.ConfigureServices have no effect. Login β†’ 30 minutes β†’ automatically logged out: (

What to do to extend this period of time?

(btw: user user, UserManager, UserStore doesn’t interfere with Cookie, they "just" check credentials (what they should;)))

0
source share
1 answer

TL DR: If you have a user user manager, be sure to use GetSecurityStampAsync, UpdateSecurityStampAsync and set SupportsUserSecurityStamp to true.

The solution to this is pretty simple (but I haven't found it anywhere in the docs). Since the default implementation is working (Create new ASP MVC6 App ...), I checked their database tables and found a security stamp (which I did not implement). According to the answer to this question What is the IUserSecurityStampStore <TUser> interface? This brand is checked every 30 minutes, which is surprisingly suitable for my problem. So all I have done is expanding my UserManager with

 public class MinervaUserManager:UserManager<MinervaUser> // Minerva being the name of the project { ... public override bool SupportsUserSecurityStamp { get { return true; } } public override async Task<string> GetSecurityStampAsync(MinervaUser user) { // Todo: Implement something useful here! return "Token"; } public override async Task<IdentityResult> UpdateSecurityStampAsync(MinervaUser user) { // Todo: Implement something useful here! return IdentityResult.Success; }

These dummies always return the same SecurityStamp and "Success" for each update. This is as safe as the lack of security on all bits that prevent the exit from the system.

+1
source

Source: https://habr.com/ru/post/1263687/

More articles:


All Articles