1

I have tried to use al the settings on web.config and UseCookieAuthentication() methods as indicated on many topics on the web as listed below:

Session timeout does not work ( is set in web.config )

How to set session timeout in web.config

mvc 5 session timeout after default period (20 mins)

However, trying to change session timeout to 1 minute (for testing) on all the options in these config or methods does not make any sense and I am not sure where the mistake is. Here are the configs below that I changed. Any idea to fix the problem? I also need to be clarified what is the best idea to set session timeout in MVC application : in web.config or in Auth classes?

web.config:

<system.web>
    <compilation debug="true" targetFramework="4.5" />
    <httpRuntime targetFramework="4.5" executionTimeout="60" />

    <sessionState mode="InProc" timeout="1" />    

    <!-- For LDAP -->
    <httpCookies httpOnlyCookies="true" />
    <authentication mode="Forms">

        <!-- Note: I also remove this part and try with only "sessionState" -->
        <forms name=".ADAuthCookie" loginUrl="~/Account/Login" timeout="1" 
            slidingExpiration="false" protection="All" />
    </authentication>
</system.web>


Startup.Auth.cs:

public void ConfigureAuth(IAppBuilder app)
{
    // Code removed for brevity.

    // Configure the sign in cookie
    app.UseCookieAuthentication(new CookieAuthenticationOptions
    {
        AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
        LoginPath = new PathString("/Account/Login"),
        Provider = new CookieAuthenticationProvider
        {
            // Enables the application to validate the security stamp when the user logs in.
            // This is a security feature which is used when you change a password or add an external login to your account.  
            OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                validateInterval: TimeSpan.FromMinutes(1),
                regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
        }
    });            
    app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

    app.UseTwoFactorSignInCookie(DefaultAuthenticationTypes.TwoFactorCookie, TimeSpan.FromMinutes(1));
    app.UseTwoFactorRememberBrowserCookie(DefaultAuthenticationTypes.TwoFactorRememberBrowserCookie);        
}
Improve this question

1 Answer 1

Reset to default
7

If you use ASP.NET Identity you do not need to use settings in web.config. Just add these two lines to your UseCookieAuthentication() method as shown below:

....,
SlidingExpiration = true,
ExpireTimeSpan = TimeSpan.FromMinutes(1)
...

So, the final code of your method will be as shown below:


Startup.Auth.cs:

public void ConfigureAuth(IAppBuilder app)
{
    // Code removed for brevity.

    // Configure the sign in cookie
    app.UseCookieAuthentication(new CookieAuthenticationOptions
    {
        AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
        LoginPath = new PathString("/Account/Login"),
        Provider = new CookieAuthenticationProvider
        {
            // Enables the application to validate the security stamp when the user logs in.
            // This is a security feature which is used when you change a password or add an external login to your account.  
            OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                validateInterval: TimeSpan.FromMinutes(30),
                regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
        },            
        SlidingExpiration = true, 
        ExpireTimeSpan = TimeSpan.FromMinutes(1) //Set the session timeout at here
    });            
    app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

    app.UseTwoFactorSignInCookie(DefaultAuthenticationTypes.TwoFactorCookie, TimeSpan.FromMinutes(1));
    app.UseTwoFactorRememberBrowserCookie(DefaultAuthenticationTypes.TwoFactorRememberBrowserCookie);        
}

For more information please visit [ASP.NET-Identity-Cookie-Authentication-Timeouts](http://www.jamessturtevant.com/posts/ASPNET-Identity-Cookie-Authentication-Timeouts/).
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.