Make OWIN PCI Compliant using cookie authentication timeouts (ValidateInterval vs ExpireTimeSpan]

Let’s talk about PCI first,

In order to make login PCI compliant, session timeout needs to be set for 15 mins, I had to make two changes to my Startup.cs file.

1. Set SlidingExpiration to False. Sliding Expiration is set to true by default. [This is optional and depends on requirements.]
2. ****Add ExpireTimeSpan to 15 mins. ExpireTimeSpan field by default is 14 days.

If you are using cookie authentication in ASP.NET Identity, there are two timeout settings that may look very similar, ValidateInterval and ExpireTimespan

What is ExpireTimeSpan?

ExpireTimeSpan allows you to set how long the issued cookie is valid for. In the code sample below, the cookie is valid for 15 minutes from the time of creation. Once those 15 minutes are up the user will have to sign-in because the SlidingExpiration is set to false.

However, let’s suppose, Sliding expiration is true [by default]. What would happen then?

The cookie would be regenerated on any request within 15 mins. For example, if the user logged in and subsequently made a second request 5 minutes later the cookie would be regenerated for another 15 minutes. If the user logged in and then made a second request at 16th min or later, only then, the user would be prompted to log in.

What is ValidateInterval [this can be tricky]:

In order to understand ValidateInterval, let’s talk about Security stamp first. A Security stamp for a user is created/updated every time a password is created/changed or an external login is added/removed. Every time a user logs in, SecurityStampValidator.OnValidateIdentity validates the security stamp using the cookie. And now, if the user has changed a password, the cookie becomes invalid next time.

The validateInterval attribute of the SecurityStampValidator.OnValidateIdentity checks the security stamp to ensure the validity of the cookie after the given interval. This is different than ExpireTimeSpan.However, the end result will be same Logged out state.

 // Use cookie authentication
            app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/Login"),
                Provider = new CookieAuthenticationProvider
                {
                    // If the "/util/login.aspx" has been used for login otherwise you don't need it you can remove OnApplyRedirect.
                    OnApplyRedirect = cookieApplyRedirectContext =>
                    {
                        app.CmsOnCookieApplyRedirect(cookieApplyRedirectContext, cookieApplyRedirectContext.OwinContext.Get<ApplicationSignInManager<ApplicationUser>>());
                    },

                    // Enables the application to validate the security stamp when the user logs in.
                    // This is a security feature which is used when you change a password or add an external login to your account.
                    OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager<ApplicationUser>, ApplicationUser>(
                        validateInterval: TimeSpan.FromMinutes(15),
                        regenerateIdentity: (manager, user) => manager.GenerateUserIdentityAsync(user))
                },
                SlidingExpiration = false,
                ExpireTimeSpan = TimeSpan.FromMinutes(15)
            });

In above example, both timeouts are set to 15 mins. Ideally, ValidateInterval should be set less than ExpireTimeSpan. This is because, once ExpireTimeSpan is reached, the user will automatically get re-validated upon next login request.