IdentityServer4 cookie expiration

cookies identityserver4

11,751

Try this:

        app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
        {
            // …
            Notifications = new OpenIdConnectAuthenticationNotifications
            {
                SecurityTokenValidated = async n =>
                {
                    // Set persistent cookie, 
                    n.AuthenticationTicket.Properties.IsPersistent = true; 
                    // and the expiration
                    n.AuthenticationTicket.Properties.ExpiresUtc = DateTime.Today.AddDays(1); 
                },
            },
            // …
        }

As for the IDS's cookie expiration, you can set it in the ConfigureServices of the Identity Server:

        services.Configure<IdentityOptions>(options =>
        {
            // …
            options.Cookies.ApplicationCookie.ExpireTimeSpan = TimeSpan.FromDays(1);
            // …
        });

11,751

Author by

JakeJ

Updated on June 05, 2022

Comments

JakeJ almost 2 years
I have been reading the IdentityServer4 issue threads for about a day now, but am still really confused regarding the session/signin cookie expiration.

If I set the cookie expiration from the client like this (I'm using an IdentityServer3 client with IdentityServer4 server in order to enable ASP.NET 4.x webapps to authenticate):
```
app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = "Cookies",
                ExpireTimeSpan = new TimeSpan(10, 0, 0),
                SlidingExpiration = true
            });
```
I can open Chrome developer tools (F12) and look at the cookies and see that they are set to expire as soon as the browser closes (the expiration date on all cookies for IdentityServer are set to expire "1969-12-31T23:59:59.000Z", in other words, the client expiration didn't take).

That is the case regardless of whether I set both client and server authentication options UseTokenLifetime to true or not:

Client side:
```
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
            {
                 ...
                 UseTokenLifetime = true,
                 ...
```
Server side:
```
services.AddAuthentication()
   .AddOpenIdConnect("MyLoginScheme", "A login scheme", options =>
          ...
          options.UseTokenLifetime = true;
          ...
```
I'm not sure how to get it to take the client cookie lifetime I've set.
JakeJ about 6 years

Awesome v0id, that works for the client cookie! I'm not sure there's a way to set the idsrv user session cookie ("idsrv") expiration, do you know anything about that?
JakeJ about 6 years

Currently I'm a bit confused about the checksession endpoint. I could probably try again to link the two / get IdSrv to use the client cookie, but then I think I'll have problems again with the third party identity provider / getting the claims back. That's next now that the client cookie is set.
JakeJ about 6 years

Thanks for that. What version of IdentityServer are you using? Is that IdentityServer3 options? Maybe not applicable in my case. The client works though, did you know you can use IdentityServer3 clients with IdentityServer4?
v0id about 6 years

@JakeJ I'm using Identity.Server4 1.5.2. The class IdentityOptions from Microsoft.AspNetCore.Identity, Version=1.1.2.0 assembly.
JakeJ about 6 years

Cool. Sorry, I guess I might just have been missing a using statement to get visibility on that. I have another question open on the server side cookie, and it looks like the problem I had was from it not being set persistent (still haven't been able to test because I started having EF / database problems after yesterday's Windows/Visual Studio update).
JakeJ about 6 years

Apparently it only gets set persistent if you click "remember me" on the third party identity provider login, and I didn't realize that or that the AuthenticationProperties in the Quickstart UI AccountController Login() method had anything to do with the cookie. Still needs testing though, and it'll probably take me a day to unwrap this new database bug so I can get back to it.
JakeJ about 6 years

Interesting, there must have been considerable changes in Microsoft.AspNetCore.Identity between version 1.1.2.0 and 2.0.1 (I must be using a later version of IdSrv than you are, IdSrv is dependent on that package). The other open question has some leads I'm pursuing, will try that way.
gilm0079 about 6 years

@JakeJ Did you get this figured out? I also found that the persistence setting controls if the cookie is only alive for the session or has the expiration. Is there a way to tell after OpenIdConnect finishes on the client (in the SecurityTokenValidated event) if the identity server cookie is persistent and what its expiration is? The protocol message includes a expiredIn property, but that seems to be related to the token lifetime not the cookie.
JakeJ about 6 years

@gilm0079 I debugged all the way through IdentityServer side code after downloading the source from Github and replacing the nuget package with that. IdentityServer never changes the expiration on the cookie, so it has something to do with Identity /session on Microsoft's side. The best I could do now would be to rely on the token expirations for long lived sessions. So right now, if you close the browser, you are closing the session. That's probably intentional - for instance the new .net core cookie logic has no way to set expiration either.
JakeJ about 6 years

Sorry if this is vague, I haven't looked at this in weeks. I do believe there was a way to tell if it is persistent, think that there's something along those lines in one of the client sample AccountControllers. Good luck.