30

How do I implement an Automatic Logout Timer.

So basically if the user is inactive for x minutes their session is ended?

I have tried:

<system.web> 
   <sessionState timeout="1"/>
</system.web>

But it doesn't seem to work.

Here is code that is in my startup:

public void ConfigureAuth(IAppBuilder app)
{
  // Enable the application to use a cookie to store information for the signed in user
  app.UseCookieAuthentication(new CookieAuthenticationOptions
  {
      AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
      LoginPath = new PathString("/Account/Login")
   });
 }

Which says that I am using cookie Authentication. So i dono what that entails if I can do it or not.

Hao Kung
  • 28,040
  • 6
  • 84
  • 93
Zapnologica
  • 22,170
  • 44
  • 158
  • 253

1 Answers1

66

Its a property in the App_Start\Startup.Auth.cs file:

  app.UseCookieAuthentication(new CookieAuthenticationOptions
  {
      ExpireTimeSpan = TimeSpan.FromMinutes(5),
      AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
      LoginPath = new PathString("/Account/Login")
   });
Serguei Fedorov
  • 7,763
  • 9
  • 63
  • 94
Hao Kung
  • 28,040
  • 6
  • 84
  • 93
  • May I ask where do you find information on this? I.e where is it documented? What are all the settings options I have available? – Zapnologica Feb 07 '14 at 06:53
  • 1
    Also is it possible to make the system redirect or show a page saying timed out please login again? – Zapnologica Feb 07 '14 at 08:27
  • 2
    Sure if you have an [Authorize] attribute protecting your action it automatically redirects you to the LoginPath in the options there. Aka it redirects you to the login page. – Hao Kung Feb 07 '14 at 19:05
  • What I meant is like with internet banking, It must popup saying that your session has expired and you have been automatically logged out. Please login again. I want that to be displayed as the users session is timed out. – Zapnologica Feb 10 '14 at 07:31
  • @Zapnologica - It would be fairly trivial to write this yourself using window.setTimeout in the front end. The main issue you would have is with multiple tabs, so rather than *show* the warning after the timeout - you'd want to make an Ajax request to the server to verify if the user was still logged on, and show your popup/layover based on that response. If you require more detail, please ask a new question. – pwdst Feb 11 '14 at 11:52
  • 3
    I believe the correct name is ExpireTimeSpan. Might have changed in the update to V2. – PretzelSteelersFan Apr 08 '14 at 15:40
  • Could you say how do we have configure web.config in that case? Thank you! – NoWar Oct 17 '14 at 18:14
  • 1
    Hi Kung. I follow your approach but it doesn't work for me. I set ExpireTimeSpan and added [Authorize] but still is user logged wht time expire. – kat1330 Oct 28 '14 at 20:12
  • 1
    ExpireTimeSpan is used to dictate how long a "Remember Me" cookie will remember the logged in user, through closing the browser, etc. – Aaron Jun 09 '16 at 17:35
  • 1
    i have used this property, but it seems to be not working, any idea why? – Ehsan Sajjad Jun 15 '16 at 01:56
  • 11
    This doesn't work. `ExpireTimeSpan ` is used when you want to expire the user session even if the user is still active. For inactivity first you need to set the `SlidingExpiration` to true and then add the following code. `Provider = new CookieAuthenticationProvider { OnResponseSignIn = context => { context.Properties.AllowRefresh = true; context.Properties.ExpiresUtc = DateTimeOffset.UtcNow.AddMinutes(10); } }` – Rida Iftikhar Dec 06 '17 at 06:12