How IsPersistent works in OWIN Cookie authentication

c# asp.net-mvc asp.net-mvc-5 owin

28,579

Solution 1

Persistent cookies will be saved as files in the browser folders until they either expire or manually deleted. This will cause the cookie to persist even if you close the browser.

If IsPersistent is set to false, the browser will acquire session cookie which gets cleared when the browser is closed.

Now the reason session cookie wont clear after restarting the browser is because of chrome default settings. To fix it go to chrome settings -> advanced, and uncheck Continue running background apps when Google Chrome is closed under System section.

Solution 2

public void Configuration(IAppBuilder app)
{
    //Some Code
    app.UseCookieAuthentication(GetCookieAuthenticationOptions());
    //Some Code
}

private static CookieAuthenticationOptions GetCookieAuthenticationOptions()
{
    var options  = new CookieAuthenticationOptions();
    {
        CookieName = "AuthCookie",  //Some cookie settings here
    };
    var provider = (CookieAuthenticationProvider)options.Provider;
    provider.OnResponseSignIn = (context) => 
    {
        context.Properties.IsPersistent = true;
        context.Properties.ExpiresUtc = DateTimeOffset.UtcNow.AddHours(24);
    };
    return options;
}

28,579

cuongle

Email: [email protected]

Updated on July 09, 2022

Comments

cuongle almost 2 years
It seems I don't understand clearly how IsPersistent in OWIN cookie authentication works, the code below is to use IsPersistent:
```
var context = Request.GetOwinContext();
var authManager = context.Authentication;
var properties = new AuthenticationProperties { IsPersistent = isPersistence };

authManager.SignIn(properties, identity);
```
I don't see the difference when user checks/unchecks Remember me (uses IsPersistent behind) because if I close Chrome browser and open it again to go with the website, the cookie .AspNet.ApplicationCookie is still there and it lets me in even I check or uncheck Remember me.

I have checked the definition of IsPersistent on the link:

Gets or sets whether the authentication session is persisted across multiple requests.

But don't get much understanding since I see it still works.

The code to setup OWIN cookie authentication:
```
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationMode = AuthenticationMode.Active,
    AuthenticationType = ApplicationTypes.ApplicationCookie,
    ExpireTimeSpan = TimeSpan.FromMinutes(30),
    LoginPath = new PathString("/Account/LogOn")
});
```
cuongle over 8 years

Awesome answer, this is the first time I know this setting, thanks a lot
PBMe_HikeIt about 8 years

Actually there is another Chrome setting that will impact whether browser clears cookie. It is "continue where you left off" Good answer at ths SO Post If set then cookie is not cleared
Ella S. over 5 years

Not working for core. There is no CookieAuthenticationProvider in Core Library.
PillowMetal about 4 years

As of this date, and under .net core 3.1, "continue running in background" had no influence in my testing. What DID have an effect is "continue where you left off" Since I wanted to ensure the user was always logged out, I placed the following code in the initial controller executed at startup: public async Task<IActionResult> IndexAsync() { if (_signInManager.IsSignedIn(HttpContext.User)) { await _signInManager.SignOutAsync(); return RedirectToAction(); } return View(); }
Alexander Mihailov over 3 years

As of 28.10.2020 MVC 5.2 asp.net 4 both options Continue running ... and Continue where ...do not have any effect on the cookie - it persists between tab/browser closes
Patrick about 2 years

Saved my day. was trying to do it with OnValidateIdentity first but it didn't work. Thank you!