10

I am using Identity 2.1 in my MVC5 app. I am setting the isPersistent property of the PasswordSignInAsync to true to enable 'Remember Me':

var result = await SignInManager.PasswordSignInAsync(model.Username, 
  model.Password, 
  true, 
  shouldLockout: false);

But if I stay logged in overnight, then when I refresh the page in the morning, it logs me out and I have to sign in again. How do I prevent automatic logging out until the user manually logs out?

Is it something to do with the Cookie Authentication that identity uses? I don't really understand the CookieAuthenticationOptions that are set in Startup.Auth.cs.

new CookieAuthenticationProvider
{  
   OnValidateIdentity = SecurityStampValidator
      .OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
      validateInterval: TimeSpan.FromMinutes(30),
      regenerateIdentity: (manager, user)
      => user.GenerateUserIdentityAsync(manager))
}
VMAtm
  • 27,943
  • 17
  • 79
  • 125
Rhys Stephens
  • 889
  • 3
  • 20
  • 36
  • 2
    `validateInterval: TimeSpan.FromMinutes(30)` means that the cookie is only valid for 30 minutes. SO yeah, it will be expired by morning. – Erik Funkenbusch Jan 05 '15 at 23:27
  • Great, thanks. I wasn't sure if they were related. – Rhys Stephens Jan 06 '15 at 00:14
  • 2
    @RhysStephens, Did you get the answer which you expected? Every one said to change expireTimeSpan. I need like our application should set to expireTimeSpan, but in case the selected remember me, then token should no expire at any cause until user manually log out. – Jeeva J Nov 10 '16 at 09:11
  • @JeevaJsb i want something like that as well, have you got the solution ? – Fatkhan Fauzi Oct 02 '18 at 11:26
  • The token expires time cannot be modified as we do in the session. Only we can renew the token manually. We have to do with the "Refreshtoken" feature. But here the tricky we need to do is, we need to do a refresh token after some interval of time. That will help us to keep the user active. Did you try this one? – Jeeva J Oct 03 '18 at 08:49
  • http://bitoftech.net/2014/07/16/enable-oauth-refresh-tokens-angularjs-app-using-asp-net-web-api-2-owin/ – Jeeva J Oct 03 '18 at 08:52
  • @ErikFunkenbusch `validateInterval: TimeSpan.FromMinutes(30)` means to validate the cookie every 30 minutes. It does NOT mean the cookie is valid for 30 minutes. Duration of cookie is controlled using ExpireTimeSpan. – CodingYoshi Sep 27 '20 at 13:57

5 Answers5

13

I think you should read this article . There are two different intervals: ValidateInterval and ExpireTimeSpan. And in your case i think you should change the expireTimeSpan, not the ValidateInterval.

Mosh Feu
  • 28,354
  • 16
  • 88
  • 135
AlexSolovyov
  • 487
  • 2
  • 7
  • 22
2

There is an explanation for TimeSpan parameter in similar question. Simply use the infinite cookies, like this:

OnValidateIdentity = SecurityStampValidator
  .OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
  validateInterval: TimeSpan.FromMinutes(0),
  regenerateIdentity: (manager, user)
  => user.GenerateUserIdentityAsync(manager))

This is also needed for it to work correctly:

Call 

await UserManager.UpdateSecurityStampAsync(userId);

before 

AuthenticationManager.SignOut();
Community
  • 1
  • 1
VMAtm
  • 27,943
  • 17
  • 79
  • 125
  • 1
    This is not working for me. It is still logging me out if I leave it over night. `OnValidateIdentity = SecurityStampValidator .OnValidateIdentity( validateInterval: TimeSpan.FromDays(30), regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))` Which cookie is it supposed to be? – Rhys Stephens Jan 13 '15 at 02:34
  • @RhysStephens in your code you are using the 30-days timeout. But this may not work as it beats some inner limitations. Try to use exactly zero based `TimeSpan` – VMAtm Jan 13 '15 at 11:35
  • I'll try it out. It's a bit clunky to have to do it this way. – Rhys Stephens Jan 13 '15 at 22:35
  • This means that the user can never log out, as per the similar answer you mentioned in your answer. Which means I can't set it to zero. – Rhys Stephens Jan 13 '15 at 23:34
  • @RhysStephens Then I don't understand what exactly you want. – VMAtm Jan 14 '15 at 07:35
  • Well the user still needs to have the option to log out. They should be able to stay logged in if they want to, but can choose to log out whenever they want – Rhys Stephens Jan 15 '15 at 15:18
  • @RhysStephens The session in this case will end after the user log outs manually. – VMAtm Jan 15 '15 at 16:19
  • It doesn't though, as per the linked pages' explanation. It seems a problem with Identity 2 – Rhys Stephens Jan 17 '15 at 13:22
  • I have set to 0 and ExpireTimeSpan to one min. Then I made the application idle for 2 mins. Then i clicked something, application gets logged out. – Jeeva J Nov 10 '16 at 12:17
  • thank you for the comment, please see the @AlexSolovyov answer – VMAtm Nov 10 '16 at 15:48
0

Form this post, the isPersistent parameter sets whether the authentication session is persisted across multiple requests.

Carlos Liu
  • 2,348
  • 3
  • 37
  • 51
0

I had this issue. It was caused by my custom UserStore not implementing IUserSecurityStampStore.

public Task<string> GetSecurityStampAsync(IdentityUser user)
{
    return Task.FromResult<string>(user.SecurityStamp);
}

Without a security stamp the SecurityStampValidator has nothing to validate and so logs out the user.

user3717478
  • 863
  • 1
  • 8
  • 15
-1

I should write more. This strange code:

OnValidateIdentity = SecurityStampValidator
  .OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
  validateInterval: TimeSpan.FromMinutes(0),
  regenerateIdentity: (manager, user)
  => user.GenerateUserIdentityAsync(manager))

was causing my app to lost cookie after 1 day. I really don`t know why, but after excluding this code and adding a mashine key to my web.config "remember me" future is finally working right.

My current code is:

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
   AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
   LoginPath = new PathString("/Account/Login"),
   ExpireTimeSpan = TimeSpan.FromDays(5)
});
AlexSolovyov
  • 487
  • 2
  • 7
  • 22