1

I am building an app, which is a Javascript SPA with Asp.net mvc controllers in the backend. I am trying to use IdentityServer for authentication. I have authorize attribute on my controllers. One of the requirements I have is that the user's session should be expired in a certain amount of time(if no activity, user should be prompted to login). The implicit flow does not work for me because of security restrictions. I grabbed the Identity4 samples https://github.com/IdentityServer/IdentityServer4.Samples and tried using the cookieauthentication middleware, setting the ExpireTimeSpan to see if that expires the cookie. Somehow even after the expiration of the timespan specified, I am still able to make a call into the controllers. How can I accomplish something similar to a asp.net session timeout with Identity Server and Asp.net mvc?

Improve this question

1 Answer 1

Reset to default
1

It is known issue see https://github.com/aspnet/Security/pull/893, fixed for 1.1.0.

Wait 1.1.0 version or use OnTokenValidated to set expire property:

OnTokenValidated = async (context) =>
{
     context.Properties.ExpiresUtc = <expire>;
     await Task.FromResult(0);
}

Also see for another solution: https://github.com/aspnet/Security/issues/855#issuecomment-229495399

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.