Feb 20, 2018
(6 votes)

Make OWIN PCI Compliant using cookie authentication timeouts (ValidateInterval vs ExpireTimeSpan]

Let’s talk about PCI first,

In order to make login PCI compliant, session timeout needs to be set for 15 mins, I had to make two changes to my Startup.cs file.

  1. Set SlidingExpiration to False. Sliding Expiration is set to true by default. [This is optional and depends on requirements.]
  2. ****Add ExpireTimeSpan to 15 mins. ExpireTimeSpan field by default is 14 days.

If you are using cookie authentication in ASP.NET Identity, there are two timeout settings that may look very similar, ValidateInterval and ExpireTimespan

What is ExpireTimeSpan?

ExpireTimeSpan allows you to set how long the issued cookie is valid for. In the code sample below, the cookie is valid for 15 minutes from the time of creation. Once those 15 minutes are up the user will have to sign-in because the SlidingExpiration is set to false.

However, let’s suppose, Sliding expiration is true [by default]. What would happen then?

The cookie would be regenerated on any request within 15 mins. For example, if the user logged in and subsequently made a second request 5 minutes later the cookie would be regenerated for another 15 minutes. If the user logged in and then made a second request at 16th min or later, only then, the user would be prompted to log in.

What is ValidateInterval [this can be tricky]:

In order to understand ValidateInterval, let’s talk about Security stamp first. A Security stamp for a user is created/updated every time a password is created/changed or an external login is added/removed. Every time a user logs in, SecurityStampValidator.OnValidateIdentity validates the security stamp using the cookie. And now, if the user has changed a password, the cookie becomes invalid next time.

The validateInterval attribute of the SecurityStampValidator.OnValidateIdentity checks the security stamp to ensure the validity of the cookie after the given interval. This is different than ExpireTimeSpan.However, the end result will be same Logged out state.

 // Use cookie authentication
            app.UseCookieAuthentication(new CookieAuthenticationOptions
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/Login"),
                Provider = new CookieAuthenticationProvider
                    // If the "/util/login.aspx" has been used for login otherwise you don't need it you can remove OnApplyRedirect.
                    OnApplyRedirect = cookieApplyRedirectContext =>
                        app.CmsOnCookieApplyRedirect(cookieApplyRedirectContext, cookieApplyRedirectContext.OwinContext.Get<ApplicationSignInManager<ApplicationUser>>());

                    // Enables the application to validate the security stamp when the user logs in.
                    // This is a security feature which is used when you change a password or add an external login to your account.
                    OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager<ApplicationUser>, ApplicationUser>(
                        validateInterval: TimeSpan.FromMinutes(15),
                        regenerateIdentity: (manager, user) => manager.GenerateUserIdentityAsync(user))
                SlidingExpiration = false,
                ExpireTimeSpan = TimeSpan.FromMinutes(15)

In above example, both timeouts are set to 15 mins. Ideally, ValidateInterval should be set less than ExpireTimeSpan. This is because, once ExpireTimeSpan is reached, the user will automatically get re-validated upon next login request.

Feb 20, 2018


Please login to comment.
Latest blogs
Optimizely community meetup - Sept 29 (virtual + Melbourne)

Super excited to be presenting this Thursday the 29th of September at the Optimizely community meetup. For the full details and RSVP's see the...

Ynze | Sep 27, 2022 | Syndicated blog

Preview multiple Visitor Groups directly while browsing your Optimizely site

Visitor groups are great - it's an easy way to add personalization towards market segments to your site. But it does come with it's own set of...

Allan Thraen | Sep 26, 2022 | Syndicated blog

The Report Center is finally back in Optimizely CMS 12

With Episerver.CMS.UI 12.12.0 the Report Center is finally re-introduced in the core product.

Tomas Hensrud Gulla | Sep 26, 2022 | Syndicated blog

Dynamic Route in ASP.NET Core When MapDynamicControllerRoute Does Not Work

Background Creating one of the add-on for Optimizely I had to deal with challenge to register dynamically route for the API controller. Dynamic rou...

valdis | Sep 25, 2022 | Syndicated blog