When using .net identity authentication, the authentication timeout settings is set by code in Startup.Auth.cs, the cookieAuthenticationOptions can set ExpireTimeSpan to decide when the user log in session will be expired,
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Provider = new CookieAuthenticationProvider
{
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(20),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
},
ExpireTimeSpan = TimeSpan.FromMinutes(60*2),
});
Setting the session timeout in web.config sessionstate or iis application session timeout setting does not affect the .net identity authentication timeout.
In addition, this timeout is not set into cookie expiration property. Instead it is managed on server side
This applies to both local database identity provider or third party identity provider, like google oauth2
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Provider = new CookieAuthenticationProvider
{
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(20),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
},
ExpireTimeSpan = TimeSpan.FromMinutes(60*2),
});
Setting the session timeout in web.config sessionstate or iis application session timeout setting does not affect the .net identity authentication timeout.
In addition, this timeout is not set into cookie expiration property. Instead it is managed on server side
This applies to both local database identity provider or third party identity provider, like google oauth2
No comments:
Post a Comment