Cookie Authentication expiring too soon in ASP.NET Core
I have a ASP.NET Core 1.1.2 project in which I am using cookie authentication. I am having a problem where users are being prompted to log back in after being idle for an hour or less, and losing work. The code below is what I'm using in the Configure function in Startup.cs to set this up and from what I can tell, it should expire after at least 8 hours. BTW, ProjectProcessFlow is just the name of the project.
app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
AuthenticationScheme = "ProjectProcessFlow",
LoginPath = new PathString("/Account/Login/"),
ExpireTimeSpan = new TimeSpan(8, 0, 0),
SlidingExpiration = true,
AutomaticAuthenticate = true,
AutomaticChallenge = true
});
I am including Microsoft.AspNetCore.Authentication.Cookies v1.1.2 in NuGet. What do I need to do to get the login expiration to happen at the expected time?
Additional Information:
I found that when the timeout happened and the user was asked to login again, a warning was recorded in the Event Viewer on the server that it couldn't find the logs folder under the project. So I created that folder, and waited for the timeout to happen again. When that happened, a log file was created in that folder that contained this:
Hosting environment: Production
Content root path: C:\inetpub\wwwroot\Sprout
Now listening on: http://localhost:13423
Application started. Press Ctrl+C to shut down.
When I repeated this process, the same thing happened, except that a different number appeared after "localhost:". I should mention that the project name is ProjectProcessFlow, but the URL ends in Sprout.
Solution 1:
I know that is too late for answering this question, but for whom facing this.
The IIS reset pool every 20 minutes and every 20 mins ASP.NET generate new key for protect cookie values (Authentication and Session). to prevent this, add following code to ConfigureServices
in Startup
class
services.AddDataProtection()
.PersistKeysToFileSystem(new System.IO.DirectoryInfo("SOME WHERE IN STORAGE"))
//.ProtectKeysWithCertificate(new X509Certificate2());
.SetDefaultKeyLifetime(TimeSpan.FromDays(90));
A complete guide is here. It is all about DataProtection
Solution 2:
users are being prompted to log back in after being idle for an hour or less, and loosing work.
I have similar configuration, but it works fine for me.
One thing I can think of is you cannot let web server idle for 20 minutes. IIS's app pool default idle time-out is 20 minutes (I could not say for other Linux web server).
So you could either set longer app pool time-out (0 for infinity), or ping every 5 minutes from external service like Monitis.