Reputation: 7268
I'm developing an MVC5 website that uses the OWIN authentication system (Microsoft.Owin v4.1.0
via NuGet). I validate a user's login credentials against a database, and then use the OWIN IAuthenticationManager
to sign them in. Here is the relevant code:
using Microsoft.Owin.Security;
public class AuthManager : IAuthManager
{
private readonly IAuthenticationManager AuthenticationManager;
public AuthManager()
{
this.AuthenticationManager = HttpContext.Current.GetOwinContext().Authentication;
}
public void SignIn(AppUserState appUserState, bool rememberMe)
{
AuthenticationProperties authenticationProperties = new AuthenticationProperties()
{
AllowRefresh = true,
IsPersistent = rememberMe,
ExpiresUtc = DateTime.UtcNow.AddDays(14),
IssuedUtc = DateTime.UtcNow
};
List<Claim> claims = new List<Claim>();
claims.Add(new Claim(ClaimTypes.NameIdentifier, appUserState.EmailAddress));
claims.Add(new Claim(ClaimTypes.Name, appUserState.Name));
claims.Add(new Claim("userState", appUserState.ToString()));
ClaimsIdentity identity = new ClaimsIdentity(claims, DefaultAuthenticationTypes.ApplicationCookie);
this.AuthenticationManager.SignIn(authenticationProperties, identity);
}
}
The sign-in process works, however persistence does not. After around 30-60 mins the session always ends, despite IsPersistent
being set to true
. When I step through in the debugger and examine the authenticationProperties
object, I can see that IsPersistent
is indeed true.
I've read online that this is the flag that determines if your application should keep your user logged in even if the user is not actively using the site. However the user's session always ends.
One thing I've recognised is that the AuthenticationProperties
class has a dictionary object inside it:
When I open the dictionary, I can see that there is a key labelled .persistent
which has a blank value. I have tried setting this value to True
(to copy the behaviour of the .refresh
key) - but this simply had no effect.
I don't think the above issue is related to the problem but I thought I should share what investigation I had already performed.
How can I prevent the user from being automatically logged-out?
Upvotes: 1
Views: 1847
Reputation: 7268
It turns out it was nothing to do with cookie expiry times. I tried setting the ExpireTimeSpan
to 14 days (as a test) but it made no difference - I was still automatically logged out.
However I was looking at that same method (ConfigureAuth
) and saw I had the following code:
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
ExpireTimeSpan = new TimeSpan(14, 0, 0, 0, 0),
LoginPath = new PathString("/Account/Login"),
Provider = new CookieAuthenticationProvider
{
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(30),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
}
});
As a test, I set the validateInterval: TimeSpan.FromMinutes(30),
to 3000 minutes instead. I was no longer being logged out after 30 minutes. So the reason my sessions were ending is because clearly the call to SecurityStampValidator.OnValidateIdentity
is returning that the current user is unauthorized!
Upvotes: 0
Reputation: 4482
Persistent cookies just aren't purged when you close the browser session, they can still expire. Set ExpireTimeSpan
in your CookieAuthenticationOptions
to something longer.
Upvotes: 1