Cookie Authentication expiring too soon in ASP.NET Core

c# authentication asp.net-core-mvc

I have a ASP.NET Core 1.1.2 project in which I am using cookie authentication. I am having a problem where users are being prompted to log back in after being idle for an hour or less, and losing work. The code below is what I'm using in the Configure function in Startup.cs to set this up and from what I can tell, it should expire after at least 8 hours. BTW, ProjectProcessFlow is just the name of the project.

  app.UseCookieAuthentication(new CookieAuthenticationOptions()
  {
    AuthenticationScheme = "ProjectProcessFlow",
    LoginPath = new PathString("/Account/Login/"),       
    ExpireTimeSpan = new TimeSpan(8, 0, 0),
    SlidingExpiration = true,
    AutomaticAuthenticate = true,
    AutomaticChallenge = true
  });

I am including Microsoft.AspNetCore.Authentication.Cookies v1.1.2 in NuGet. What do I need to do to get the login expiration to happen at the expected time?

Additional Information:

I found that when the timeout happened and the user was asked to login again, a warning was recorded in the Event Viewer on the server that it couldn't find the logs folder under the project. So I created that folder, and waited for the timeout to happen again. When that happened, a log file was created in that folder that contained this:

Hosting environment: Production
Content root path: C:\inetpub\wwwroot\Sprout
Now listening on: http://localhost:13423
Application started. Press Ctrl+C to shut down.

When I repeated this process, the same thing happened, except that a different number appeared after "localhost:". I should mention that the project name is ProjectProcessFlow, but the URL ends in Sprout.


Solution 1:

I know that is too late for answering this question, but for whom facing this. The IIS reset pool every 20 minutes and every 20 mins ASP.NET generate new key for protect cookie values (Authentication and Session). to prevent this, add following code to ConfigureServices in Startup class

services.AddDataProtection()
                .PersistKeysToFileSystem(new System.IO.DirectoryInfo("SOME WHERE IN STORAGE"))
                //.ProtectKeysWithCertificate(new X509Certificate2());
                .SetDefaultKeyLifetime(TimeSpan.FromDays(90));

A complete guide is here. It is all about DataProtection

Solution 2:

users are being prompted to log back in after being idle for an hour or less, and loosing work.

I have similar configuration, but it works fine for me.

One thing I can think of is you cannot let web server idle for 20 minutes. IIS's app pool default idle time-out is 20 minutes (I could not say for other Linux web server).

So you could either set longer app pool time-out (0 for infinity), or ping every 5 minutes from external service like Monitis.

enter image description here

Related

sum of nested list in Python
Where can I find a TPL dataflow version for 4.0?
Computer shuts down when unplugged
How to restore drive icon on Unity Launcher?
Advantages/Disadvantages of installing from source code [duplicate]
"No module named gnomeapplet " error when trying to run battery indicator
How do I create a swap partition for hibernation?
Is there a way to get Miro to use flash?
Are Intel HD 4000 graphics supported on Ubuntu 10.04 LTS?
How can I fix "The creation of swap space in partition #6 of SCSI2 (0,0,0) (sda) failed" while installing Ubuntu?
How do I control the fan on a Apple Mac Mini?
Spread /home partition over two drives?