ASP.NET Core Identity 3 Cookie timeout

本小妞迷上赌 提交于 2019-12-22 07:57:51

问题


I have a weird issue happening with RC2.

I have setup Identity 3 ExpireTimeSpan to 12 hours using the following configuration option

options.Cookies.ApplicationCookie.ExpireTimeSpan = new TimeSpan(12,0,0);

After logging in to the website and leaving it untouched for ~35-40mins, I get a 401 error (for my ajax post calls) and refreshing the website, I get back to the login page.

Why do I have to reauthenticate when I have setup the ExpireTimeSpan to 12hours?

Is there another setting or configuration that I need?

Also,

How can I get the time left before the expiry occurs? I would like to access that information so I could warn my users that their session will expire after X time.

Thanks!


回答1:


I found the problem

The problem lies with the SecurityStamp mechanism. By default, every 30 minutes, the security stamp is validated. This mostly due to the fact that sign in everywhere is an option. The security stamp is updated usually in identity when the user changes password for instance. This will make all the locations where the user has signed on (except the one where he changed his password) sign out after 30mins because the stamp (usually a guid) has changed.

To implement this functionality, Implement the ISecurityStampStore<T> interface in your UserStore and implement the GetSecurityStampAsync(User user, CancellationToken cancellationToken) method

For more info you can check the security stamp validator code and the reason why it signs you out after 30mins

https://github.com/aspnet/Identity/blob/dev/src/Microsoft.AspNetCore.Identity/SecurityStampValidator.cs

Note: The options.SecurityStampValidationInterval can be set to increase the time check, but it doesn't resolve the problem. After X time, you will still be signed out.



来源:https://stackoverflow.com/questions/38401272/asp-net-core-identity-3-cookie-timeout

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!