Cookie expiry in ASP.NET Core 2.0 with Identity

Question

Environment: ASP.NET Core 2.0, Identity with cookies.

In Startup.ConfigureServices() there is this:

services.ConfigureApplicationCookie(options => {
  options.ExpireTimeSpan = TimeSpan.FromDays(14);
  options.Cookie.Expiration = TimeSpan.FromDays(14);
});

The first is from CookieAuthenticationOptions. The second is from CookieBuilder. The docs also mention Microsoft.AspNetCore.Http.CookieOptions.Expires (though it's not available in that lambda).

What is the difference between these? What is the correct way to set an expiry time in Core2?

R. Richards · Answer 1 · 2017-08-25T23:11:53.510

4

The following is what I am using to set the expiry for the cookie in a test application that I use.

public class Startup
{
    ...

    // This method gets called by the runtime. Use this method to add services to the container
    public void ConfigureServices(IServiceCollection services)
    {
        // Add framework services.
        ...

        ...  // before services.AddMvc();!
        services.AddAuthentication().AddCookie(options => {
            options.Cookie.Expiration = TimeSpan.FromDays(14);
            options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Strict;
            options.Cookie.Name = "MyCookieName";
            options.LoginPath = "/Account/Login";
            options.AccessDeniedPath = "/Account/Forbidden";
        });

        // OR Perhaps, this could be what you need
        services.ConfigureApplicationCookie(options =>
        {
            options.Cookie.Expiration = TimeSpan.FromDays(150);
            options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Strict;
            options.Cookie.Name = "MyCookieName";
            options.LoginPath = "/Account/Login";
            options.AccessDeniedPath = "/Account/Forbidden";
        });
        ...
    }

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline
    public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
    {
        ... // before app.UseMvc();!
        app.UseAuthentication();
        // WAS -> app.UseCookieAuthentication();
        ...
    }
    ...
}

I think this should get you going in the right direction.

This works for me, and I haven't noticed any issues yet. Although, it's only been a couple of weeks since the Core 2.0 RTM. :)

Hope this helps.

edited Aug 25 '17 at 23:11

answered Aug 25 '17 at 12:11

R. Richards

24,603
10
64
64

1

I'm using `options.ExpireTimeSpan = TimeSpan.FromDays(14);` as per one of the pages on the docs site. But the existence of three different ways of doing this make me believe that there are differences between them. Identity has always been a mess (and has never been documented properly), so I am very curious to know more about this issue. Thanks for your real-world confirmation though, it helps! I suspect there is a difference based on when you use cookies with Identity, or cookies without Identity - you are using without, and I use with, so maybe there's a clue there somewhere... – grokky Aug 25 '17 at 13:14
Actually, I am using Identity in my project, I just didn't include that in the code since I didn't think it was relevant. My implementation of Identity uses custom user/role classes and implements custom stores for each. I was trying to see if I could successfully avoid using EF. The full code if [here](https://github.com/rdrrichards/QIQO.Business.Web/blob/master/QIQO.Business.Api/Startup.cs). – R. Richards Aug 25 '17 at 13:37
It's a side issue you're right...though it looks like you're adding cookie support twice. At least that's according to the [docs page](https://learn.microsoft.com/en-us/aspnet/core/migration/1x-to-2x/identity-2x#authentication-middleware-and-services) for "cookies with/without Identity". It says you only need to `AddIdentity()` for cookie-based auth, you don't need to `.AddAuthentication().AddCookie(...)`, – grokky Aug 25 '17 at 14:25
I can see how it would look like I am adding cookie support twice. I did what I did because I could not find `options.Cookie.Expiration` in the `AddIdentity` options. I got no complaints/errors, so I left it in. I may dig around in the Identity code to see what, if any, side effects this may be causing. – R. Richards Aug 25 '17 at 21:36
I added a `services.ConfigureApplicationCookie` chunk to this. I tested it. I didn't see any changes in my apps behavior, but it wasn't anything more than a smoke and a log out/log in. [More info](https://github.com/aspnet/Identity/blob/74c1e19e6c14359d428ffe803a93d846b2123a63/src/Microsoft.AspNetCore.Identity/IdentityServiceCollectionExtensions.cs). – R. Richards Aug 25 '17 at 23:13
Yeah `ConfigureApplicationCookie()` is what I'm doing too... I wish they'd properly document all this. The docs are way behind the current version. – grokky Aug 26 '17 at 04:42
1

I'm getting `OptionsValidationException: Cookie.Expiration is ignored, use ExpireTimeSpan instead.` – Mugen Feb 12 '20 at 14:56

score 1 · Answer 2 · answered Feb 13 '18 at 09:09

This code workds for me. Only second block changes cookie expiration

services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
        .AddCookie(options =>
        {
            // Cookie settings
            options.Cookie.HttpOnly = true;
            options.Cookie.SameSite = SameSiteMode.Strict;
            options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
            options.LoginPath = "/Account/Login";
            options.LogoutPath = "/Account/Logout";
            options.AccessDeniedPath = "/Account/AccessDenied";
        });

        services.ConfigureApplicationCookie(options =>
        {
            // Cookie settings, only this changes expiration
            options.Cookie.HttpOnly = true;
            options.Cookie.Expiration = TimeSpan.FromDays(150);
            options.ExpireTimeSpan = TimeSpan.FromDays(150);
        });

Cookie expiry in ASP.NET Core 2.0 with Identity

2 Answers2

Linked