session cookies - User logout after non-persistent login in Asp.Net Identity 2 -
i trying configure asp.net identity 2.2 able login , permanently. know there 2 settings account, validateinterval of cookieauthenticationprovider , expiretimespan of cookieauthenticationoptions. here standard configuration comes new mvc 5 application, expiretimespan , slidingexpiration set explicitly default values have them in mind:
app.usecookieauthentication(new cookieauthenticationoptions { authenticationtype = defaultauthenticationtypes.applicationcookie, loginpath = new pathstring("/account/login"), provider = new cookieauthenticationprovider { // enables application validate security stamp when user logs in. // security feature used when change password or add external login account. onvalidateidentity = securitystampvalidator.onvalidateidentity<applicationusermanager, applicationuser>( validateinterval: timespan.fromminutes(30), regenerateidentity: (manager, user) => user.generateuseridentityasync(manager)) }, expiretimespan = timespan.fromdays(14), slidingexpiration = true, }); onvalidateidentity called every 30 minutes , checks security stamp of user. if hasn't been changed (so e.g. user has not changed password), nothing happens - user remains logged in. ok.
if login (not-persistent) cookie created expiration "on browser close". time of logout not controlled in way , user remains logged in until he/she closes browser or makes change invalidates security stamp (change password or email, etc.).
if login persistently same cookie created has expiration in 14 days (which how persistent login works, not "forever" time only). user remains logged in long he/she uses application @ least once every 14 days.
my question is: how can make normal (non-persistent) login expire after time, e.g. 15 minutes, even if user not close browser , security stamp remains unchanged (which equivalent of leaving browser open 15 minutes)? if set expiretimespan 15 minutes sessions (including persistent) become 15 minutes not solution.
i succeeded achieve inheriting signinmanager, adding new property:
/// <summary> /// defines how long user session lasts if non persistent. null value means until browser closed (default) /// </summary> public virtual timespan? nonpersistentsessionduration { get; set; } and overriding method:
/// <summary> /// creates user identity , signs identity using authenticationmanager /// </summary> /// <param name="user"></param> /// <param name="ispersistent"></param> /// <param name="rememberbrowser"></param> /// <returns></returns> public virtual async task signinasync(tuser user, bool ispersistent, bool rememberbrowser) { var useridentity = await createuseridentityasync(user).withcurrentculture(); // clear partial cookies external or 2 factor partial sign ins authenticationmanager.signout(defaultauthenticationtypes.externalcookie, defaultauthenticationtypes.twofactorcookie); var properties = new authenticationproperties {ispersistent = ispersistent}; if (!ispersistent && this.nonpersistentsessionduration != null) properties.expiresutc = datetimeoffset.utcnow.add(this.nonpersistentsessionduration.value); if (rememberbrowser) { var rememberbrowseridentity = authenticationmanager.createtwofactorrememberbrowseridentity(convertidtostring(user.id)); authenticationmanager.signin(properties, useridentity, rememberbrowseridentity); } else { authenticationmanager.signin(properties, useridentity); } } the change setting expiresutc property of authenticationproperties object non-persistent sign in.
of course in signinmanager configuration have set new nonpersistentsessionduration property value session length non-persistent sessions.
Comments
Post a Comment