Identity Server 3 User Session Lifetime

Question

I\'m securing a web app with identity server 3. My app is split into 2 oidc clients a ASP.Net MVC client and a javascript(angular) client which uses the oidc-client javascr

Answer 1

What you are looking to control is the lifetime for the cookie IdentityServer itself issues. Once this cookie expires, the next time one of the client applications need to authenticate again, the user will need to reenter their credentials.

This cookie lifetime is controlled in the CookieOption found in the AuthenticationOptions of the IdentityServerOptions (see below) and defaults to 10 hours.

var options = new IdentityServerOptions
{
    Factory = factory,
    SigningCertificate = Cert.Load(),
    AuthenticationOptions = new AuthenticationOptions
    {
        CookieOptions = new IdentityServer3.Core.Configuration.CookieOptions
        {
            ExpireTimeSpan = TimeSpan.FromHours(24)
        }
    }
};