Timeout ignored by AspNet Identity and OWIN

Vote:
 

I hope someone can help me. We are writing an EpiServer (v11) and we are using AspNet Identity and OWIN and we are trying to set the timeout to 4 hours. However, it seems like no matter what we set the timeout to the site times out in 30 minutes and we get redirected to the login page.

In our web.config, we have the following settings:



and

 

and, in appSettings,


In our OWIN startup class, we have the following code:

public class Startup
{
    public void Configuration(IAppBuilder app)
    {
        CookieAuthenticationProvider provider = new CookieAuthenticationProvider();
        Action originalHandler = provider.OnApplyRedirect;

        provider.OnApplyRedirect = context =>
        {
            context.RedirectUri = $"{new PathString(Global.LoginPath)}/?session_expired=1";
            originalHandler.Invoke(context);
        };

        provider.OnValidateIdentity = SecurityStampValidator.OnValidateIdentity, PortalDirectApplicationUser>(
                    validateInterval: TimeSpan.FromMinutes(30),
                    regenerateIdentity: (manager, user) => manager.GenerateUserIdentityAsync(user));

        app.SetupPortalDirectAspNetIdentity();

        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            CookieName = "OurCookie",
            LoginPath = new PathString(Global.LoginPath),
            Provider = provider,
            SlidingExpiration = true,
            ExpireTimeSpan = TimeSpan.FromMinutes(int.Parse(ConfigurationManager.AppSettings["SessionTimeout"]))
        });
    }
}

So the timeout in the startup class is also 240 minutes.

Can anyone point me in the right direction as to why the site times out in 30 minutes? I have searched for answers and I'm obviously not setting something correctly.

Thanks!

#191827
Apr 30, 2018 15:40
Vote:
 

Hi Ken, your configuration looks OK and should work. Just wondering do you have the latest Microsoft OWIN NuGet pakages? Prior to version 3 there were some cookie issues and there still is the OWIN vs Web cookie management (https://stackoverflow.com/questions/20737578/asp-net-sessionid-owin-cookies-do-not-send-to-browser , UseKentorOwinCookieSaver() mention). I've tested the with Allloy and latest NuGet packages that a 32 minutes ExpireTimeSpan with sliding expiration works OK.

BTW, SessionTimeout is something different than how long the authentication cookie is valid. You are building MVC app so most likely you are not actually even using session. The session timeout controls how long asp.net keeps "stuff" stored to the session. You even could have a situation where your authentication has expired but stuff stored to session is still accessible only the protected resources are not available.

So you might actually want to leave the session timeout to default and have another setting to control your authentication cookie expiration time.

#191836
Apr 30, 2018 21:41
Vote:
 

Thanks for getting back to me. The OWIN packages I have are all 3.1.0.

#191853
May 01, 2018 17:53
Vote:
 

I hope you understand that I can only give suggestions ;-)

Could you create a new branch and test there upgrading the OWIN packages to the latest version?

Another thing might be that if you lower the OnValidateIdentity timeout to something like 5 minutes does you authentication end then in 5 minutes or no effect? This shouldn't be the case unless there is for example another browser open where you change the users password for example. Just a wild guess because that is now currently 30 minutes and authentication ends in 30 minutes. See this http://www.jamessturtevant.com/posts/ASPNET-Identity-Cookie-Authentication-Timeouts/

Have you used browser developer tools to view the request and response headers when this 30 minutes automatic logout happens (remember to persist requests in browser developer tools settings, so that you can see what really happens).

Do note that is important to do just one change at a time because otherwise you wont know which change actually "fixed" your issue.

Your startup is pretty much the same as the Alloy MVC with ASP.NET Identity so you could use that to validate that the user stays authenitcate more than 30 minutes if the cookie authentication ExpireTimeSpan is more than 30 mniutes.

#191855
May 01, 2018 19:44
Vote:
 

Also, what Expires value does the cookie have while authenticated?

#191862
May 01, 2018 23:21
Vote:
 

I think I realize what the problem is. If I'm not mistaken the validation interval will prompt the user for their credentials. I believe that this neither signs the user out or expires anything. It is simply verifying that the user is who they claim to be.

Since this is not the behavior we want (we want a 4 hour sliding expiration timeout) I have upped the validation interval to a long time period. The expiration time span is now used and we are no longer asked to authenticate after 30 minutes.

Does that make sense?

#191899
May 02, 2018 14:24
Vote:
 

No, the validation only checks the security stamp of the identity, it does not prompt for credentials. If the security stamp validation succeeds (the stamp hasn't changed) then the regenerate identity is called otherwise the identity is rejected and redirect to login eventually happens.

Couple of more questions to you:

  • can you reproduce this unwanted logout after 30 minutes in development environment?
  • is this issue actually happening in production environment only?
    • is your prod env load balanced?
      • if Yes, do you have the same machinekey defined in web.config for all you webfront servers?
      • what kind of load balancing is used, round robin, sticky session, ...

Few suggestions to test the issue in your local development

  • if you can reproduce this issue in your local environment
    • login to your app
    • go for lunch (30 minutes and more, assuming you still have the four hour sliding expiration for the cookie)
    • are you logged out of the app after lunch? ;-)
  • another option that you could try out
    • lower the securitystamp validation for example to 5 minutes
      • means that the securitystamp is validated every 5 minutes
    • lower the cookie expiration time to 20 minutes
      • means that if no request in 20 minutes your login will expire
      • if you keep using the app then the authentication cookie is refreshed at 10 minutes mark

Can you test in a separate branch if you upgrade the MS OWIN NuGet packages to version 4.0.0 and test in your local development (assuming you can re-produce the issue in your local development), does it make any difference?

#191927
Edited, May 02, 2018 20:09
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.