Try our conversational search powered by Generative AI!

Feb 20, 2018
(6 votes)

Make OWIN PCI Compliant using cookie authentication timeouts (ValidateInterval vs ExpireTimeSpan]

Let’s talk about PCI first,

In order to make login PCI compliant, session timeout needs to be set for 15 mins, I had to make two changes to my Startup.cs file.

  1. Set SlidingExpiration to False. Sliding Expiration is set to true by default. [This is optional and depends on requirements.]
  2. ****Add ExpireTimeSpan to 15 mins. ExpireTimeSpan field by default is 14 days.

If you are using cookie authentication in ASP.NET Identity, there are two timeout settings that may look very similar, ValidateInterval and ExpireTimespan

What is ExpireTimeSpan?

ExpireTimeSpan allows you to set how long the issued cookie is valid for. In the code sample below, the cookie is valid for 15 minutes from the time of creation. Once those 15 minutes are up the user will have to sign-in because the SlidingExpiration is set to false.

However, let’s suppose, Sliding expiration is true [by default]. What would happen then?

The cookie would be regenerated on any request within 15 mins. For example, if the user logged in and subsequently made a second request 5 minutes later the cookie would be regenerated for another 15 minutes. If the user logged in and then made a second request at 16th min or later, only then, the user would be prompted to log in.

What is ValidateInterval [this can be tricky]:

In order to understand ValidateInterval, let’s talk about Security stamp first. A Security stamp for a user is created/updated every time a password is created/changed or an external login is added/removed. Every time a user logs in, SecurityStampValidator.OnValidateIdentity validates the security stamp using the cookie. And now, if the user has changed a password, the cookie becomes invalid next time.

The validateInterval attribute of the SecurityStampValidator.OnValidateIdentity checks the security stamp to ensure the validity of the cookie after the given interval. This is different than ExpireTimeSpan.However, the end result will be same Logged out state.

 // Use cookie authentication
            app.UseCookieAuthentication(new CookieAuthenticationOptions
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/Login"),
                Provider = new CookieAuthenticationProvider
                    // If the "/util/login.aspx" has been used for login otherwise you don't need it you can remove OnApplyRedirect.
                    OnApplyRedirect = cookieApplyRedirectContext =>
                        app.CmsOnCookieApplyRedirect(cookieApplyRedirectContext, cookieApplyRedirectContext.OwinContext.Get<ApplicationSignInManager<ApplicationUser>>());

                    // Enables the application to validate the security stamp when the user logs in.
                    // This is a security feature which is used when you change a password or add an external login to your account.
                    OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager<ApplicationUser>, ApplicationUser>(
                        validateInterval: TimeSpan.FromMinutes(15),
                        regenerateIdentity: (manager, user) => manager.GenerateUserIdentityAsync(user))
                SlidingExpiration = false,
                ExpireTimeSpan = TimeSpan.FromMinutes(15)

In above example, both timeouts are set to 15 mins. Ideally, ValidateInterval should be set less than ExpireTimeSpan. This is because, once ExpireTimeSpan is reached, the user will automatically get re-validated upon next login request.

Feb 20, 2018


Please login to comment.
Latest blogs
Developer meetups in Stockholm & Helsinki

It's time for developer meetups! Next month we will be in Stockholm and Helsinki. Join us for getting the latest updates from Optimizely, be inspir...

Magnus Kjellander | Feb 23, 2024

Roll Your Own Security Headers

Proper security headers are a must for your Optimizely driven website. There are a variety of tools out there that will help with this, but when...

Ethan Schofer | Feb 21, 2024

Migrate Catalog content properties

A colleague asked me yesterday – how do we migrate properties of catalog content. There is, unfortunately, no official way to do it. There are...

Quan Mai | Feb 20, 2024 | Syndicated blog

Adjust log levels in Optimizely DXP

You may adjust the log levels for your site in Optimizely DXP yourself, but only for the Integration environment. Follow this step-by-step guide.

Tomas Hensrud Gulla | Feb 20, 2024 | Syndicated blog