IdentityServer Session cookie is not sliding
I am facing a weird problem. I am able to do the silent renew, but my IdP cookie is getting sliding.
More into the problem...
I have an IdP session cookie (IdentityServer) lifetime set to expire in 15 minutes and I kept the same time for the access token and id token lifetime too.
On my JavaScript client, I check user activity every 2 minutes and if there is activity in the last 2 min, I will renew the token.
I am able to get the access token and id token with renewed expiration times, but after 15 minutes (the IdP cookie life time) silent renew calls are failing and IdP is logging out.
I checked response of silent renew call, I see no cookies being set (with new sliding expiration times) in the response headers.
Are there any settings I am supposed to enable at the server side? Appreciate your help.
asp.net-core asp.net-core-2.0 identityserver4 oidc-client-js
edited Nov 16 '18 at 7:31
Wim Ombelets
3,62023145
asked Nov 14 '18 at 3:55
hashbyteshashbytes
11010
add a comment |
I am facing a weird problem. I am able to do the silent renew, but my IdP cookie is getting sliding.
More into the problem...
I have an IdP session cookie (IdentityServer) lifetime set to expire in 15 minutes and I kept the same time for the access token and id token lifetime too.
On my JavaScript client, I check user activity every 2 minutes and if there is activity in the last 2 min, I will renew the token.
I am able to get the access token and id token with renewed expiration times, but after 15 minutes (the IdP cookie life time) silent renew calls are failing and IdP is logging out.
I checked response of silent renew call, I see no cookies being set (with new sliding expiration times) in the response headers.
Are there any settings I am supposed to enable at the server side? Appreciate your help.
asp.net-core asp.net-core-2.0 identityserver4 oidc-client-js
edited Nov 16 '18 at 7:31
Wim Ombelets
3,62023145
asked Nov 14 '18 at 3:55
hashbyteshashbytes
11010
Have you configured the cookie authentication scheme to use sliding expiration?
– mackie
Nov 14 '18 at 13:08
Yes I did and i am using default cookie scheme only.
– hashbytes
Nov 14 '18 at 13:16
I think it will only renew the cookie if you hit the site after it's past half way to expiry - is it possible that you're missing that window?
– mackie
Nov 14 '18 at 13:57
is it not possible to override this behavior? I need keep sliding the cookie to 30 more minutes from the last time i do silent renew, if I have 30 min as cookie life time, then at 14th min, if i do silent renew, I have to slide the cookie to another 30 min from that point which is until 44th minute from the time user logs in...
– hashbytes
Nov 14 '18 at 15:32
add a comment |
I am facing a weird problem. I am able to do the silent renew, but my IdP cookie is getting sliding.
More into the problem...
I have an IdP session cookie (IdentityServer) lifetime set to expire in 15 minutes and I kept the same time for the access token and id token lifetime too.
On my JavaScript client, I check user activity every 2 minutes and if there is activity in the last 2 min, I will renew the token.
I am able to get the access token and id token with renewed expiration times, but after 15 minutes (the IdP cookie life time) silent renew calls are failing and IdP is logging out.
I checked response of silent renew call, I see no cookies being set (with new sliding expiration times) in the response headers.
Are there any settings I am supposed to enable at the server side? Appreciate your help.
asp.net-core asp.net-core-2.0 identityserver4 oidc-client-js
edited Nov 16 '18 at 7:31
Wim Ombelets
3,62023145
asked Nov 14 '18 at 3:55
hashbyteshashbytes
11010
I am facing a weird problem. I am able to do the silent renew, but my IdP cookie is getting sliding.
More into the problem...
I have an IdP session cookie (IdentityServer) lifetime set to expire in 15 minutes and I kept the same time for the access token and id token lifetime too.
On my JavaScript client, I check user activity every 2 minutes and if there is activity in the last 2 min, I will renew the token.
I am able to get the access token and id token with renewed expiration times, but after 15 minutes (the IdP cookie life time) silent renew calls are failing and IdP is logging out.
I checked response of silent renew call, I see no cookies being set (with new sliding expiration times) in the response headers.
Are there any settings I am supposed to enable at the server side? Appreciate your help.
asp.net-core asp.net-core-2.0 identityserver4 oidc-client-js
asp.net-core asp.net-core-2.0 identityserver4 oidc-client-js
edited Nov 16 '18 at 7:31
Wim Ombelets
3,62023145
asked Nov 14 '18 at 3:55
hashbyteshashbytes
11010
edited Nov 16 '18 at 7:31
Wim Ombelets
3,62023145
asked Nov 14 '18 at 3:55
hashbyteshashbytes
11010
edited Nov 16 '18 at 7:31
Wim Ombelets
3,62023145
edited Nov 16 '18 at 7:31
Wim Ombelets
3,62023145
edited Nov 16 '18 at 7:31
Wim Ombelets
3,62023145
3,62023145
asked Nov 14 '18 at 3:55
hashbyteshashbytes
11010
asked Nov 14 '18 at 3:55
hashbyteshashbytes
11010
asked Nov 14 '18 at 3:55
hashbyteshashbytes
11010
11010
Have you configured the cookie authentication scheme to use sliding expiration?
– mackie
Nov 14 '18 at 13:08
Yes I did and i am using default cookie scheme only.
– hashbytes
Nov 14 '18 at 13:16
I think it will only renew the cookie if you hit the site after it's past half way to expiry - is it possible that you're missing that window?
– mackie
Nov 14 '18 at 13:57
is it not possible to override this behavior? I need keep sliding the cookie to 30 more minutes from the last time i do silent renew, if I have 30 min as cookie life time, then at 14th min, if i do silent renew, I have to slide the cookie to another 30 min from that point which is until 44th minute from the time user logs in...
– hashbytes
Nov 14 '18 at 15:32
add a comment |
Have you configured the cookie authentication scheme to use sliding expiration?
– mackie
Nov 14 '18 at 13:08
Yes I did and i am using default cookie scheme only.
– hashbytes
Nov 14 '18 at 13:16
I think it will only renew the cookie if you hit the site after it's past half way to expiry - is it possible that you're missing that window?
– mackie
Nov 14 '18 at 13:57
is it not possible to override this behavior? I need keep sliding the cookie to 30 more minutes from the last time i do silent renew, if I have 30 min as cookie life time, then at 14th min, if i do silent renew, I have to slide the cookie to another 30 min from that point which is until 44th minute from the time user logs in...
– hashbytes
Nov 14 '18 at 15:32
Have you configured the cookie authentication scheme to use sliding expiration?
– mackie
Nov 14 '18 at 13:08
Have you configured the cookie authentication scheme to use sliding expiration?
– mackie
Nov 14 '18 at 13:08
Yes I did and i am using default cookie scheme only.
– hashbytes
Nov 14 '18 at 13:16
Yes I did and i am using default cookie scheme only.
– hashbytes
Nov 14 '18 at 13:16
I think it will only renew the cookie if you hit the site after it's past half way to expiry - is it possible that you're missing that window?
– mackie
Nov 14 '18 at 13:57
I think it will only renew the cookie if you hit the site after it's past half way to expiry - is it possible that you're missing that window?
– mackie
Nov 14 '18 at 13:57
is it not possible to override this behavior? I need keep sliding the cookie to 30 more minutes from the last time i do silent renew, if I have 30 min as cookie life time, then at 14th min, if i do silent renew, I have to slide the cookie to another 30 min from that point which is until 44th minute from the time user logs in...
– hashbytes
Nov 14 '18 at 15:32
is it not possible to override this behavior? I need keep sliding the cookie to 30 more minutes from the last time i do silent renew, if I have 30 min as cookie life time, then at 14th min, if i do silent renew, I have to slide the cookie to another 30 min from that point which is until 44th minute from the time user logs in...
– hashbytes
Nov 14 '18 at 15:32
add a comment |
1 Answer
1
active
oldest
votes
As @mackie mentioned in the comments, the cookie will slide only if it's past half way to expiry... and this has nothing to do with Identity Server, but .NET framework
I was able to overcome it by doing this:
public class CustomCookieOptions : IConfigureNamedOptions<CookieAuthenticationOptions>
{
private readonly AppConfiguration _appConfiguration;
private const string UTC_DATE_TIME_FORMAT = "r";
private const string EXPIRES_KEY = ".expires";
public CustomCookieOptions(IOptions<AppConfiguration> appConfiguration)
{
_appConfiguration = appConfiguration.Value;
}
public void Configure(CookieAuthenticationOptions options)
{
}
public void Configure(string name, CookieAuthenticationOptions options)
{
options.Events.OnValidatePrincipal = context =>
{
if (context.Principal.Identity.IsAuthenticated &&
options.Cookie.Name == IdentityServerConstants.DefaultCookieAuthenticationScheme)
{
if (context.Properties.Items.ContainsKey(EXPIRES_KEY)
&& context.Request.Path.Value.StartsWith("/connect/authorize"))
{
var expiresAt = DateTimeOffset.Parse(context.Properties.Items[EXPIRES_KEY]);
if (DateTimeOffset.UtcNow <= expiresAt)
{
context.ShouldRenew = true;
context.Properties.Items[EXPIRES_KEY] =
DateTimeOffset.UtcNow.AddSeconds(_appConfiguration.CookieLifetimeInSeconds)
.ToString(UTC_DATE_TIME_FORMAT, CultureInfo.InvariantCulture);
}
}
}
return Task.CompletedTask;
};
}
And then register it:
services.AddSingleton<IConfigureOptions<CookieAuthenticationOptions>, CustomCookieOptions>();
answered Nov 27 '18 at 15:13
GokulnathGokulnath
626822
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53292975%2fidentityserver-session-cookie-is-not-sliding%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
As @mackie mentioned in the comments, the cookie will slide only if it's past half way to expiry... and this has nothing to do with Identity Server, but .NET framework
I was able to overcome it by doing this:
public class CustomCookieOptions : IConfigureNamedOptions<CookieAuthenticationOptions>
{
private readonly AppConfiguration _appConfiguration;
private const string UTC_DATE_TIME_FORMAT = "r";
private const string EXPIRES_KEY = ".expires";
public CustomCookieOptions(IOptions<AppConfiguration> appConfiguration)
{
_appConfiguration = appConfiguration.Value;
}
public void Configure(CookieAuthenticationOptions options)
{
}
public void Configure(string name, CookieAuthenticationOptions options)
{
options.Events.OnValidatePrincipal = context =>
{
if (context.Principal.Identity.IsAuthenticated &&
options.Cookie.Name == IdentityServerConstants.DefaultCookieAuthenticationScheme)
{
if (context.Properties.Items.ContainsKey(EXPIRES_KEY)
&& context.Request.Path.Value.StartsWith("/connect/authorize"))
{
var expiresAt = DateTimeOffset.Parse(context.Properties.Items[EXPIRES_KEY]);
if (DateTimeOffset.UtcNow <= expiresAt)
{
context.ShouldRenew = true;
context.Properties.Items[EXPIRES_KEY] =
DateTimeOffset.UtcNow.AddSeconds(_appConfiguration.CookieLifetimeInSeconds)
.ToString(UTC_DATE_TIME_FORMAT, CultureInfo.InvariantCulture);
}
}
}
return Task.CompletedTask;
};
}
And then register it:
services.AddSingleton<IConfigureOptions<CookieAuthenticationOptions>, CustomCookieOptions>();
answered Nov 27 '18 at 15:13
GokulnathGokulnath
626822
add a comment |
As @mackie mentioned in the comments, the cookie will slide only if it's past half way to expiry... and this has nothing to do with Identity Server, but .NET framework
I was able to overcome it by doing this:
public class CustomCookieOptions : IConfigureNamedOptions<CookieAuthenticationOptions>
{
private readonly AppConfiguration _appConfiguration;
private const string UTC_DATE_TIME_FORMAT = "r";
private const string EXPIRES_KEY = ".expires";
public CustomCookieOptions(IOptions<AppConfiguration> appConfiguration)
{
_appConfiguration = appConfiguration.Value;
}
public void Configure(CookieAuthenticationOptions options)
{
}
public void Configure(string name, CookieAuthenticationOptions options)
{
options.Events.OnValidatePrincipal = context =>
{
if (context.Principal.Identity.IsAuthenticated &&
options.Cookie.Name == IdentityServerConstants.DefaultCookieAuthenticationScheme)
{
if (context.Properties.Items.ContainsKey(EXPIRES_KEY)
&& context.Request.Path.Value.StartsWith("/connect/authorize"))
{
var expiresAt = DateTimeOffset.Parse(context.Properties.Items[EXPIRES_KEY]);
if (DateTimeOffset.UtcNow <= expiresAt)
{
context.ShouldRenew = true;
context.Properties.Items[EXPIRES_KEY] =
DateTimeOffset.UtcNow.AddSeconds(_appConfiguration.CookieLifetimeInSeconds)
.ToString(UTC_DATE_TIME_FORMAT, CultureInfo.InvariantCulture);
}
}
}
return Task.CompletedTask;
};
}
And then register it:
services.AddSingleton<IConfigureOptions<CookieAuthenticationOptions>, CustomCookieOptions>();
answered Nov 27 '18 at 15:13
GokulnathGokulnath
626822
add a comment |
As @mackie mentioned in the comments, the cookie will slide only if it's past half way to expiry... and this has nothing to do with Identity Server, but .NET framework
I was able to overcome it by doing this:
public class CustomCookieOptions : IConfigureNamedOptions<CookieAuthenticationOptions>
{
private readonly AppConfiguration _appConfiguration;
private const string UTC_DATE_TIME_FORMAT = "r";
private const string EXPIRES_KEY = ".expires";
public CustomCookieOptions(IOptions<AppConfiguration> appConfiguration)
{
_appConfiguration = appConfiguration.Value;
}
public void Configure(CookieAuthenticationOptions options)
{
}
public void Configure(string name, CookieAuthenticationOptions options)
{
options.Events.OnValidatePrincipal = context =>
{
if (context.Principal.Identity.IsAuthenticated &&
options.Cookie.Name == IdentityServerConstants.DefaultCookieAuthenticationScheme)
{
if (context.Properties.Items.ContainsKey(EXPIRES_KEY)
&& context.Request.Path.Value.StartsWith("/connect/authorize"))
{
var expiresAt = DateTimeOffset.Parse(context.Properties.Items[EXPIRES_KEY]);
if (DateTimeOffset.UtcNow <= expiresAt)
{
context.ShouldRenew = true;
context.Properties.Items[EXPIRES_KEY] =
DateTimeOffset.UtcNow.AddSeconds(_appConfiguration.CookieLifetimeInSeconds)
.ToString(UTC_DATE_TIME_FORMAT, CultureInfo.InvariantCulture);
}
}
}
return Task.CompletedTask;
};
}
And then register it:
services.AddSingleton<IConfigureOptions<CookieAuthenticationOptions>, CustomCookieOptions>();
answered Nov 27 '18 at 15:13
GokulnathGokulnath
626822
As @mackie mentioned in the comments, the cookie will slide only if it's past half way to expiry... and this has nothing to do with Identity Server, but .NET framework
I was able to overcome it by doing this:
public class CustomCookieOptions : IConfigureNamedOptions<CookieAuthenticationOptions>
{
private readonly AppConfiguration _appConfiguration;
private const string UTC_DATE_TIME_FORMAT = "r";
private const string EXPIRES_KEY = ".expires";
public CustomCookieOptions(IOptions<AppConfiguration> appConfiguration)
{
_appConfiguration = appConfiguration.Value;
}
public void Configure(CookieAuthenticationOptions options)
{
}
public void Configure(string name, CookieAuthenticationOptions options)
{
options.Events.OnValidatePrincipal = context =>
{
if (context.Principal.Identity.IsAuthenticated &&
options.Cookie.Name == IdentityServerConstants.DefaultCookieAuthenticationScheme)
{
if (context.Properties.Items.ContainsKey(EXPIRES_KEY)
&& context.Request.Path.Value.StartsWith("/connect/authorize"))
{
var expiresAt = DateTimeOffset.Parse(context.Properties.Items[EXPIRES_KEY]);
if (DateTimeOffset.UtcNow <= expiresAt)
{
context.ShouldRenew = true;
context.Properties.Items[EXPIRES_KEY] =
DateTimeOffset.UtcNow.AddSeconds(_appConfiguration.CookieLifetimeInSeconds)
.ToString(UTC_DATE_TIME_FORMAT, CultureInfo.InvariantCulture);
}
}
}
return Task.CompletedTask;
};
}
And then register it:
services.AddSingleton<IConfigureOptions<CookieAuthenticationOptions>, CustomCookieOptions>();
answered Nov 27 '18 at 15:13
GokulnathGokulnath
626822
answered Nov 27 '18 at 15:13
GokulnathGokulnath
626822
answered Nov 27 '18 at 15:13
GokulnathGokulnath
626822
answered Nov 27 '18 at 15:13
GokulnathGokulnath
626822
626822
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53292975%2fidentityserver-session-cookie-is-not-sliding%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Have you configured the cookie authentication scheme to use sliding expiration?
– mackie
Nov 14 '18 at 13:08
Yes I did and i am using default cookie scheme only.
– hashbytes
Nov 14 '18 at 13:16
I think it will only renew the cookie if you hit the site after it's past half way to expiry - is it possible that you're missing that window?
– mackie
Nov 14 '18 at 13:57
is it not possible to override this behavior? I need keep sliding the cookie to 30 more minutes from the last time i do silent renew, if I have 30 min as cookie life time, then at 14th min, if i do silent renew, I have to slide the cookie to another 30 min from that point which is until 44th minute from the time user logs in...
– hashbytes
Nov 14 '18 at 15:32