SaaS CMS has officially launched! Learn more now.

Feb 20, 2018
(6 votes)

Make OWIN PCI Compliant using cookie authentication timeouts (ValidateInterval vs ExpireTimeSpan]

Let’s talk about PCI first,

In order to make login PCI compliant, session timeout needs to be set for 15 mins, I had to make two changes to my Startup.cs file.

  1. Set SlidingExpiration to False. Sliding Expiration is set to true by default. [This is optional and depends on requirements.]
  2. ****Add ExpireTimeSpan to 15 mins. ExpireTimeSpan field by default is 14 days.

If you are using cookie authentication in ASP.NET Identity, there are two timeout settings that may look very similar, ValidateInterval and ExpireTimespan

What is ExpireTimeSpan?

ExpireTimeSpan allows you to set how long the issued cookie is valid for. In the code sample below, the cookie is valid for 15 minutes from the time of creation. Once those 15 minutes are up the user will have to sign-in because the SlidingExpiration is set to false.

However, let’s suppose, Sliding expiration is true [by default]. What would happen then?

The cookie would be regenerated on any request within 15 mins. For example, if the user logged in and subsequently made a second request 5 minutes later the cookie would be regenerated for another 15 minutes. If the user logged in and then made a second request at 16th min or later, only then, the user would be prompted to log in.

What is ValidateInterval [this can be tricky]:

In order to understand ValidateInterval, let’s talk about Security stamp first. A Security stamp for a user is created/updated every time a password is created/changed or an external login is added/removed. Every time a user logs in, SecurityStampValidator.OnValidateIdentity validates the security stamp using the cookie. And now, if the user has changed a password, the cookie becomes invalid next time.

The validateInterval attribute of the SecurityStampValidator.OnValidateIdentity checks the security stamp to ensure the validity of the cookie after the given interval. This is different than ExpireTimeSpan.However, the end result will be same Logged out state.

 // Use cookie authentication
            app.UseCookieAuthentication(new CookieAuthenticationOptions
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/Login"),
                Provider = new CookieAuthenticationProvider
                    // If the "/util/login.aspx" has been used for login otherwise you don't need it you can remove OnApplyRedirect.
                    OnApplyRedirect = cookieApplyRedirectContext =>
                        app.CmsOnCookieApplyRedirect(cookieApplyRedirectContext, cookieApplyRedirectContext.OwinContext.Get<ApplicationSignInManager<ApplicationUser>>());

                    // Enables the application to validate the security stamp when the user logs in.
                    // This is a security feature which is used when you change a password or add an external login to your account.
                    OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager<ApplicationUser>, ApplicationUser>(
                        validateInterval: TimeSpan.FromMinutes(15),
                        regenerateIdentity: (manager, user) => manager.GenerateUserIdentityAsync(user))
                SlidingExpiration = false,
                ExpireTimeSpan = TimeSpan.FromMinutes(15)

In above example, both timeouts are set to 15 mins. Ideally, ValidateInterval should be set less than ExpireTimeSpan. This is because, once ExpireTimeSpan is reached, the user will automatically get re-validated upon next login request.

Feb 20, 2018


Please login to comment.
Latest blogs
How to have a link plugin with extra link id attribute in TinyMce

Introduce Optimizely CMS Editing is using TinyMce for editing rich-text content. We need to use this control a lot in CMS site for kind of WYSWYG...

Binh Nguyen Thi | Jul 13, 2024

Create your first demo site with Optimizely SaaS/Visual Builder

Hello everyone, We are very excited about the launch of our SaaS CMS and the new Visual Builder that comes with it. Since it is the first time you'...

Patrick Lam | Jul 11, 2024

Integrate a CMP workflow step with CMS

As you might know Optimizely has an integration where you can create and edit pages in the CMS directly from the CMP. One of the benefits of this i...

Marcus Hoffmann | Jul 10, 2024

GetNextSegment with empty Remaining causing fuzzes

Optimizely CMS offers you to create partial routers. This concept allows you display content differently depending on the routed content in the URL...

David Drouin-Prince | Jul 8, 2024 | Syndicated blog