CODEWITHSUNDEEP
asp.net-mvcweb-config
AME
AME

Reputation: 2302

Session timeout does not work ( is set in web.config )

I used the ClaimsIdentity Framework to set up auth in one of my applications.

I added those lines into the web.config file like decribed in this question.

<sessionState
         mode="InProc"
         timeout="1" />

I let the application run overnight, but I was still logged in. I'd like to set the session timeout to 30 minutes, any suggestions ?

ASP.NET MVC Version: 5.2.3.0

Upvotes: 0

Views: 1555

Answers (1)

Erik Philips
Erik Philips

Reputation: 54628

Per ASP.Net-Identity-Cookie-Authentication-Timeouts you should be using Identity's UseCookieAuthentication() parameters to set the timeout.

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
  AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
  LoginPath = new PathString("/Account/Login"),
  Provider = new CookieAuthenticationProvider
  {
    OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
        validateInterval: TimeSpan.FromMinutes(15),
        regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager)),
  },
  SlidingExpiration = false,
  ExpireTimeSpan = TimeSpan.FromMinutes(30)
});

CookieAuthenticationOptions.ExpireTimespan is the option that allows you to set how long the issued cookie is valid for. In the example above, the cookie is valid for 30 minutes from the time of creation. Once those 30 minutes are up the user will have to sign back in becuase the SlidingExpiration is set to false.

If SlidingExpiration is set to true then the cookie would be re-issued on any request half way through the ExpireTimeSpan. For example, if the user logged in and then made a second request 16 minutes later the cookie would be re-issued for another 30 minutes. If the user logged in and then made a second request 31 minutes later then the user would be prompted to log in.

Upvotes: 2

Related Questions