4

here is web site with asp.net core 3.0. I use CookieAuthentication and set cookie expire time as below:

services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
        .AddCookie(options =>
        {
            options.LoginPath = "/Home/Index/";
            options.ReturnUrlParameter = "returnUrl";
            options.Cookie.Name = "pa-lg";

            options.Cookie.IsEssential = true;
            options.SlidingExpiration = true;
            options.ExpireTimeSpan = TimeSpan.FromHours(1);
        });

services.AddAntiforgery(options =>
{
    options.HeaderName = "X-CSRF-TOKEN";
    options.Cookie.Name = "pa-tk";
    options.Cookie.IsEssential = true;
    options.Cookie.Expiration = TimeSpan.FromHours(1);
});

services.Configure<CookieTempDataProviderOptions>(options => options.Cookie.Name = "pa-tmp");
services.AddSession(options =>
{
    options.IdleTimeout = TimeSpan.FromHours(1);
});

In the login action:

await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme,
                              principal,
                              new AuthenticationProperties
                              {
                                  IsPersistent = true,
                                  ExpiresUtc = DateTime.Now.AddMinutes(60)
                              });

I expect that if you don't work with the site for an hour, you will need to log in again, but after about 15 minutes, the user will need to log in.

Why?

Farzaneh Talebi
  • 835
  • 4
  • 22
  • 47

3 Answers3

5

I found solution here:

Asp.Net core “remember me” persistent cookie not works after deploy

add below code in the Startup solved problem:

public Startup(IConfiguration configuration, IWebHostEnvironment environment)
{
       Configuration = configuration;
       Environment = environment;
}
    
public IConfiguration Configuration { get; }
public IWebHostEnvironment Environment { get; }
    
services.AddDataProtection()
        .SetApplicationName($"my-app-{Environment.EnvironmentName}")
        .PersistKeysToFileSystem(new DirectoryInfo($@"{Environment.ContentRootPath}\keys"));
Farzaneh Talebi
  • 835
  • 4
  • 22
  • 47
3

The default Idle Time-out (minutes) of the IIS application pool is 20. So if you don't change its value and the website is idle for 20 minutes, the IIS worker process will be terminated. And if you don't configure the data protection, the keys held in memory will be discarded. That explains why the user is redirected to the login page after 20 minutes or 15 minute

You can go to Application pool setting in IIS and set Load user profile to True

enter image description here

In this case, the keys will be permanently stored in the user's profile folder for the application's application pool, encrypted by the Windows DPAPI mechanism.

Or you can check these links DotNetTips.info, 1,2 to keep the login status after IIS reset and Idl-Timeout.

Farhad Zamani
  • 5,381
  • 2
  • 16
  • 41
  • I have this problem without restarting the ISS. I want the user do not need to login if he leaves the site for 1 hour, but after 15 minutes he has to log in. This problem does not exist locally and there is this problem on the host. Although I've used cookies, it looks like part of the app still uses session. – Farzaneh Talebi Jul 08 '20 at 04:28
  • @FarzanehTalebi The default Idle Time-out (minutes) of the `IIS` application pool is 20. So if you don't change its value and the website is idle for 20 minutes, the `IIS` worker process will be terminated. And if you don't configure the data protection, the keys held in memory will be discarded. That explains why the user is redirected to the login page after 20 minutes or 15 minute. – Farhad Zamani Jul 08 '20 at 04:37
  • I have another site on this host (same `IIS` and same settings) that was write with `asp.net mvc` and have not this problem. This is host, not server, I have no access to `IIS`. – Farzaneh Talebi Jul 08 '20 at 05:18
  • @FarzanehTalebi **ASP.NET Core** uses the [**Data Protection**](https://www.dotnettips.info/post/2519) mechanism to generate temporary encryption keys. This [link](https://www.dotnettips.info/post/2717/) maybe helpful – Farhad Zamani Jul 08 '20 at 07:23
0

30 minutes logout issue:

You can also change the .NET CLR version from IIS. Remember: .NET core is "no manage code".

If you want to run the application after the idle site then click to run fine. change this.

IIS: Go to the application pool of the application

IIS > Application Pool > Advanced setting > Change .NET CLR Version "no manage code" to ".net 4.0" or advanced.

It will break the ideal timeout functionality to run the application

enter image description here

Rajput Vikash Rana
  • 181
  • 1
  • 4