Cookie persistence not working in OWIN authentication

Question

I'm developing an MVC5 website that uses the OWIN authentication system (Microsoft.Owin v4.1.0 via NuGet). I validate a user's login credentials against a database, and then use the OWIN IAuthenticationManager to sign them in. Here is the relevant code:

using Microsoft.Owin.Security;

public class AuthManager : IAuthManager
{
    private readonly IAuthenticationManager AuthenticationManager;

    public AuthManager()
    {
        this.AuthenticationManager = HttpContext.Current.GetOwinContext().Authentication;
    }

    public void SignIn(AppUserState appUserState, bool rememberMe)
    {
        AuthenticationProperties authenticationProperties = new AuthenticationProperties()
        {
            AllowRefresh = true,
            IsPersistent = rememberMe,
            ExpiresUtc = DateTime.UtcNow.AddDays(14),
            IssuedUtc = DateTime.UtcNow
        };

        List<Claim> claims = new List<Claim>();
        claims.Add(new Claim(ClaimTypes.NameIdentifier, appUserState.EmailAddress));
        claims.Add(new Claim(ClaimTypes.Name, appUserState.Name));
        claims.Add(new Claim("userState", appUserState.ToString()));

        ClaimsIdentity identity = new ClaimsIdentity(claims, DefaultAuthenticationTypes.ApplicationCookie);

        this.AuthenticationManager.SignIn(authenticationProperties, identity);
    }
}

The sign-in process works, however persistence does not. After around 30-60 mins the session always ends, despite IsPersistent being set to true. When I step through in the debugger and examine the authenticationProperties object, I can see that IsPersistent is indeed true.

I've read online that this is the flag that determines if your application should keep your user logged in even if the user is not actively using the site. However the user's session always ends.

One thing I've recognised is that the AuthenticationProperties class has a dictionary object inside it:

When I open the dictionary, I can see that there is a key labelled .persistent which has a blank value. I have tried setting this value to True (to copy the behaviour of the .refresh key) - but this simply had no effect.

I don't think the above issue is related to the problem but I thought I should share what investigation I had already performed.

How can I prevent the user from being automatically logged-out?

Answer 1

It turns out it was nothing to do with cookie expiry times. I tried setting the ExpireTimeSpan to 14 days (as a test) but it made no difference - I was still automatically logged out.

However I was looking at that same method (ConfigureAuth) and saw I had the following code:

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    ExpireTimeSpan = new TimeSpan(14, 0, 0, 0, 0),
    LoginPath = new PathString("/Account/Login"),
    Provider = new CookieAuthenticationProvider
    {
        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
            validateInterval: TimeSpan.FromMinutes(30),
            regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
    }
});

As a test, I set the validateInterval: TimeSpan.FromMinutes(30), to 3000 minutes instead. I was no longer being logged out after 30 minutes. So the reason my sessions were ending is because clearly the call to SecurityStampValidator.OnValidateIdentity is returning that the current user is unauthorized!

Answer 2

Persistent cookies just aren't purged when you close the browser session, they can still expire. Set ExpireTimeSpan in your CookieAuthenticationOptions to something longer.