Hi Ken, your configuration looks OK and should work. Just wondering do you have the latest Microsoft OWIN NuGet pakages? Prior to version 3 there were some cookie issues and there still is the OWIN vs Web cookie management (https://stackoverflow.com/questions/20737578/asp-net-sessionid-owin-cookies-do-not-send-to-browser , UseKentorOwinCookieSaver() mention). I've tested the with Allloy and latest NuGet packages that a 32 minutes ExpireTimeSpan with sliding expiration works OK.
BTW, SessionTimeout is something different than how long the authentication cookie is valid. You are building MVC app so most likely you are not actually even using session. The session timeout controls how long asp.net keeps "stuff" stored to the session. You even could have a situation where your authentication has expired but stuff stored to session is still accessible only the protected resources are not available.
So you might actually want to leave the session timeout to default and have another setting to control your authentication cookie expiration time.
I hope you understand that I can only give suggestions ;-)
Could you create a new branch and test there upgrading the OWIN packages to the latest version?
Another thing might be that if you lower the OnValidateIdentity timeout to something like 5 minutes does you authentication end then in 5 minutes or no effect? This shouldn't be the case unless there is for example another browser open where you change the users password for example. Just a wild guess because that is now currently 30 minutes and authentication ends in 30 minutes. See this http://www.jamessturtevant.com/posts/ASPNET-Identity-Cookie-Authentication-Timeouts/
Have you used browser developer tools to view the request and response headers when this 30 minutes automatic logout happens (remember to persist requests in browser developer tools settings, so that you can see what really happens).
Do note that is important to do just one change at a time because otherwise you wont know which change actually "fixed" your issue.
Your startup is pretty much the same as the Alloy MVC with ASP.NET Identity so you could use that to validate that the user stays authenitcate more than 30 minutes if the cookie authentication ExpireTimeSpan is more than 30 mniutes.
I think I realize what the problem is. If I'm not mistaken the validation interval will prompt the user for their credentials. I believe that this neither signs the user out or expires anything. It is simply verifying that the user is who they claim to be.
Since this is not the behavior we want (we want a 4 hour sliding expiration timeout) I have upped the validation interval to a long time period. The expiration time span is now used and we are no longer asked to authenticate after 30 minutes.
Does that make sense?
No, the validation only checks the security stamp of the identity, it does not prompt for credentials. If the security stamp validation succeeds (the stamp hasn't changed) then the regenerate identity is called otherwise the identity is rejected and redirect to login eventually happens.
Couple of more questions to you:
Few suggestions to test the issue in your local development
Can you test in a separate branch if you upgrade the MS OWIN NuGet packages to version 4.0.0 and test in your local development (assuming you can re-produce the issue in your local development), does it make any difference?
I hope someone can help me. We are writing an EpiServer (v11) and we are using AspNet Identity and OWIN and we are trying to set the timeout to 4 hours. However, it seems like no matter what we set the timeout to the site times out in 30 minutes and we get redirected to the login page.
In our web.config, we have the following settings:
and
and, in appSettings,
In our OWIN startup class, we have the following code:
So the timeout in the startup class is also 240 minutes.
Can anyone point me in the right direction as to why the site times out in 30 minutes? I have searched for answers and I'm obviously not setting something correctly.
Thanks!