3

I'm developing an API in asp.net core 2.0 with EF core. I have configured identity cookie authentication in startup.cs as follows.

services.ConfigureApplicationCookie(options =>
{
    // Cookie settings
    options.Cookie.HttpOnly = true;
    options.Cookie.Name = "example-cookie-name";
    options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest;
    options.Cookie.SameSite = SameSiteMode.None;
    options.ExpireTimeSpan = TimeSpan.FromDays(14); 
    options.SlidingExpiration = true;
    options.Cookie.Expiration = TimeSpan.FromDays(14);
});

When a user log in to the api, it creates a cookie setting the expiry time as 1969-12-31T23:59:59.000Z (extracted from Chrome brower F12). After some time(20-30)min later, all the claims are no longer exists.

Also, User.Identity.IsAuthenticated has set to false. Because of that, I'm not able to resolve the database context(utilizing claim values).

Is this the expected behavior in asp.net identity core? If so, how can I use a middleware solution to delete the cookie or some other workaround to do that? because once the cookie is deleted user can re-login.

Content updated

services.AddIdentity<User, Role>()
.AddEntityFrameworkStores<DataContext>()
.AddDefaultTokenProviders();

Also in 

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
 ...
 app.UseAuthentication();
 app.UseContextAuthorizeValidatorMiddleware();
 app.UseMvc();
}

Inside UseContextAuthorizeValidatorMiddleware, I checked this,

public Task Invoke(HttpContext httpContext)
{
  var isAuthenticated = httpContext.User.Identity.IsAuthenticated;
 //...
  return _next(httpContext);
}
Aruna
  • 1,962
  • 4
  • 25
  • 50
  • 1
    Note: you shouldn't be using `options.Cookie.Expiration`. It was replaced by `ExpireTimeSpan` (which you are also setting). Are you calling `app.UseAuthentication`? Are you calling `services.AddIdentity` to add identity or `services.AddAuthentication` with `CookieAuthenticationDefaults.AuthenticationScheme` to map to `HttpContext.User`? Take a look at [this article](https://learn.microsoft.com/en-us/aspnet/core/migration/1x-to-2x/identity-2x?view=aspnetcore-2.1#cookie-based-authentication). – Dean Aug 19 '18 at 16:48
  • @Dean, Updated the question content, – Aruna Aug 19 '18 at 16:59
  • Interesting. Are you saying that for the first 20 minutes after a user logs in, `User.Identity.IsAuthenticated` is true? Then after 20 minutes it's set to false? – Dean Aug 19 '18 at 18:16
  • Also - check [this question and answer](https://stackoverflow.com/a/44503079/3718246) out. I believe that might be a good fix for your situation as well. – Dean Aug 19 '18 at 18:24
  • No Dean. You can't use `cookie` options inside `services.AddIdentity`. It has been removed from core 2.0. In 1.xx it's possible according to the documentation. – Aruna Aug 20 '18 at 05:18
  • I spent the half day trying to get this working, until I found out I left this line, that override the identity customization: `services.AddDefaultIdentity(options => options.SignIn.RequireConfirmedAccount = true).AddEntityFrameworkStores();` – mshwf Nov 02 '21 at 13:28

0 Answers0