Asp net core 3.1 Session never expires

Question

I have tried everything I found on StackOverflow but I still cannot manage for Session (contents) to be expired automatically.

I've tried:

This 1
This 2
And few other StackOverflow links

I do not access Session data (set,get) on ajax calls, so this cannot increase session expiration automatically.

It was so easy/trivially in old AspNet MVC - worked as expected immediately.

And all I do I store custom login (data) into Session and expect Session to drop after, say 20 minutes of user's inactivity. But this never happens.

Any ideas?

EDIT: Cookies

 lb_commonator=ffffffff0972280045525d5f4f58455e445a4a423660; crowd.token_key=7qN9z4UYR3tCjYdronwmOw00; .AspNetCore.Antiforgery.tYkxYH7Bg6I=CfDJ8OahW8JbNMdPv78xOmnUC6BtivuFvWy4RhYaN0oRtiUvkLpVtHLxgQaQOS1RTNqT8E0LaobeaNdLIhhoy4z4qSJleqiK2QJTWEptEDFAITNCTdh03AIqcd0mBL0FZeFcr5GalTfqiNahST7eUL7Wnpg; .AspNetCore.Session=CfDJ8OahW8JbNMdPv78xOmnUC6Cwi2HZVPs93%2Bohf8c%2BvQ1hWZVHeu54cwkg8PND41KXN1F%2BeAOSnTnkiT3RAGb3mPQjLRMpcq1x9f5KFrgegRRoEDHx%2FgEknhSOo8yCfKp1srlrzTWUtpUF8tsFKn1JwPLI9fHT77SGscSkTMrsueYr

EDIT 2 (IdleTimeout and ExpireTimeSpan have no effect at all):

    // Add session
    // Add session
    // Add session
    services.AddSession();

    // TESTING: TODO:
    // TESTING: TODO:
    // TESTING: TODO:
    //services.AddSession(options =>
    //{
    //    options.IdleTimeout = TimeSpan.FromSeconds(10);
    //});
    //services.ConfigureApplicationCookie(options =>
    // {
    //     options.SlidingExpiration = true;
    //     options.ExpireTimeSpan = TimeSpan.FromSeconds(10);
    // });

EDIT 3:

I means properties from developer tools [![enter image description here](https://i.stack.imgur.com/A1tYP.png)](https://i.stack.imgur.com/A1tYP.png) — Ilnar Gabidullin, Aug 31 '20 at 10:11
After some testing it seems, that session expires normally after (default) 20 minutes. I was just not able to change default time (20 minutes). — sabiland, Sep 16 '20 at 08:48

Ilnar Gabidullin · Answer 1 · 2020-09-03T16:15:30.757

0

// TESTING: TODO:
// TESTING: TODO:
// TESTING: TODO:
//services.AddSession(options =>
//{
//    // session data experation in storage
//    // for example, if you use redis, this will add ttl 10 secs
//    // for data in redis, but no influence to cookie lifitime
//    options.IdleTimeout = TimeSpan.FromSeconds(10);
//    // this will affect on cookie liftime in browser
//    // if you do not set it, cookie will be Session
//    // and expire when you close your browser
//    options.Cookie.MaxAge = TimeSpan.FromHours(1);
//});

EDIT:

To refresh existing session cookie you will need to track cookie creation time for example in session data and reset cookie in middleware

     app.Use(async (context, next) =>
     {
         string sessionCookie;
         if (/*add here expiration check &&*/ context.Request.Cookies.TryGetValue("SessionCookieName", out sessionCookie))
         {
             context.Response.Cookies.Append("SessionCookieName", sessionCookie, new CookieOptions
             {
                 MaxAge = TimeSpan.FromSeconds(10),
                 HttpOnly = true,
                 SameSite = SameSiteMode.Lax,
                 Path = "/"
             });
         }
         await next.Invoke();
     });

Or you also can write middleware that handle session cookie sliding expiration (expiration time may be added to cookie data) instead default Session middleware. Default implementation is here.
I do not know what kind of task are you solving, but I think the following configuration is enough:
```
 services.AddSession(options =>
 {
    options.IdleTimeout = TimeSpan.FromSeconds(10);
 });
```

It will invalidate your session data in 10 seconds (cookie may still be alive), and it provide sliding expiration for session data.

edited Sep 03 '20 at 16:15

answered Aug 31 '20 at 10:31

Ilnar Gabidullin

162
1
8

I've added screenShot of cookie expires infos. – sabiland Sep 01 '20 at 07:14
As mentionded in code block in this answer, when you do not set options.Cookie.MaxAge you cookie will be Session (5-th column in your pictue). It will expire only when you close the browser (I had some troubles with opera). If you will set options.Cookie.MaxAge = TimeSpan.FromSeconds(10); - it will expire after 10 second. But if you repeat your query, that use session data, new cookie will be set. Use the following configuration and track in dev tools if cookie expire: ``` services.AddSession(options => { options.Cookie.MaxAge = TimeSpan.FromSeconds(1); }); – Ilnar Gabidullin Sep 01 '20 at 09:03
As for method ConfigureApplicationCookie - it will affect only Authentication cookies – Ilnar Gabidullin Sep 01 '20 at 09:49
Thank you for the idea. I'll try it! – sabiland Sep 01 '20 at 12:39
IInar, setting MaxAge works, but sliding expiration does not work? Even if I do read/write into session during MaxAge expire time span. – sabiland Sep 02 '20 at 08:41
You may create your own middleware, where the expiration time of cookie is checked, and if it is half of the initial time - set new cookie with value of previous. It should resest expiration time of cookie in browser. PS. I have not checked – Ilnar Gabidullin Sep 03 '20 at 07:26
Ok, but ".AspNetCore.Session" cookie is created automatically, can I set this cookie also programatically? – sabiland Sep 03 '20 at 08:26

Asp net core 3.1 Session never expires

1 Answers1