Open Closed

Reducing the Remember Me time #5231


User avatar
0
ed_developer2 created

Hello, I am trying to reduce duration for which website remembers a user. Currently its set for ever we want to limit it to 1 hour, how can we do it. We tried this approach but didn't work. We tried to configure the authentication cookie in our host module. context.Services.ConfigureApplicationCookie(options => { options.ExpireTimeSpan = TimeSpan.FromSeconds(120); // Set the expiration time to 5 minutes options.SlidingExpiration = false; }); Can you please help me with this.


30 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    What's your client? MVC or Blazor or Angular?

    ConfigureApplicationCookie only works for MVC(AuthServer) side.

  • User Avatar
    0
    ed_developer2 created

    Hello maliming, We have angular integration on frontend. but as ABP, provides the login functionality in backend for that we are using MVC. Can you help us to reduce the remember time to 1hour. After 1Hour if the user revisits the page then he/she will be asked to login again.

    Thank you.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    After 1Hour if the user revisits the page then he/she will be asked to login again.

    What's this UI?

    Does the user revisit on MVC or angular page?

  • User Avatar
    0
    ed_developer2 created

    User revisit on Login Screen to get authenticated again. And Login Page is mvc. And Can you tell us whether our login/logout is coming from Swagger API (backend) is it the right way or the login should be in the frontend only? Thanks

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Are you using angular for UI? Is your angular UI not logout after 5 minutes?

    What's your abp version?

  • User Avatar
    0
    ed_developer2 created

    hi, No, After 5mins i revisit the page but i was not asked to login. And my Abp version is 7.0.2. Thanks

  • User Avatar
    0
    ed_developer2 created

    Hello can you please help me with this?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Please try this

    PreConfigure<OpenIddictServerBuilder>(builder =>
    {
        builder
            .SetAccessTokenLifetime(TimeSpan.FromSeconds(120))
            .SetIdentityTokenLifetime(TimeSpan.FromSeconds(365));
    });
    

    You can share an online website. I will test it

    liming.ma@volosoft.com

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Some code(ConfigureApplicationCookie) of your project is not working. Please share your project code with me.

    liming.ma@volosoft.com

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Hello, I don’t get the point for remember me, the functionality works like this if the user checks the remember me then he/she don’t need to authenticate for every time he/she revisits the page for default time it was set. And if he/she don’t check then, the user needs to authenticate again. This is what I am doing but its not happening. Any suggestions from your side. Thank you.

    If you didn't select the remember me the login state is session if will be invalid after you close the browser.

    https://www.cookiepro.com/knowledge/what-is-a-session-cookie/

    Select the remember me the cookies will be valid in ExpireTimeSpan even if you close the browser.

  • User Avatar
    0
    ed_developer2 created

    Hello, Thanks for the information.

    But I have tested without checking the remember me, I have logged in and close the browser. Then again I reopen the browser and open the URL. Its coming as logged in.

    Why this is happening. Thanks.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    I have logged in and close the browser.

    Please check the cookies on the browser and make sure its session

    You may need to end the browser process instead of close tabs.

  • User Avatar
    0
    ed_developer2 created

    https://prnt.sc/0sl-3ktv93vZ I have checked its session, but everytime I open the browser, same value is coming, That's why I am getting logged in.

    Any idea or any way to end this session everytime I close the tab or browser.

    Thank you.

  • User Avatar
    0
    ed_developer3 created

    Hi maliming

    can you please share a sample application where Remember me functionality is working, An angular front end and .net core webapi backend sample with only login and remember me functionality will do. We will check how its working in the sample. Again reiterating our requirement 1 If user checks Remember me checkbox then he should not be asked for Login till he logs out. 2 he will be automatically logged in in case he hasn't logged out and closes browser tab. 3 We should be able to configure the time to remember the logged in user from any backend or frontend.

    Thanks

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    The identity cookie's name is Identity.Application. If this cookie doesn't exist. Your login state will be invalid.

    hi @ed_developer3

    You have API and angular websites.

    API use cookies and angular use access token.

    You can control the cookies by ConfigureApplicationCookie.

    1. Set remember me the cookies will be valid for 14 days by default. You can change the time by ConfigureApplicationCookie
    2. UnSet remember me the cookies is session will be invalid after close the browser. The behavior is different in different browsers.

    https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity-configuration?view=aspnetcore-7.0#cookie-settings

    The access token lifetime control by

    PreConfigure<OpenIddictServerBuilder>(builder =>
    {
        builder
            .SetAccessTokenLifetime(TimeSpan.FromSeconds(120))
            .SetIdentityTokenLifetime(TimeSpan.FromSeconds(365));
    });
    

    It will get a new access token after invalid. You can remove the offline_access scope from oAuthConfig to disable the refresh token feature.

  • User Avatar
    0
    ed_developer3 created

    hi maliming

    we were able to reduce the time for Remember me duration to what ever we configured but the problem is that its default behaviour and is like this no matter we check the checkbox for remember me on login page. Also when we close the browser within configured timeout user is still logged in but it should be logged out as its session cookie as stated by you.

    Can you let us know why Remember checkbox is not working or do we have to manually do it if yes how.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    https://support.abp.io/QA/Questions/5231#answer-3a0bd55f-37b2-1f28-914f-7b52bbf16f87

    If you publish your site with custom lifetime configuration, I will check it online.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    The cookies are session. It is deleted after I quit the Chrome browser(end process). I opened the URL again the cookies disappeared.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    Click the Remember me

  • User Avatar
    0
    ed_developer2 created

    Hello, I have added all the custom configuration.

    Can you check once what's the issue in remember me checkbox default behavior.

    Thank you.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Now the cookies are valid within 1 hour.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    There should be no problem. The ConfigureApplicationCookie is working as expected.

  • User Avatar
    0
    ed_developer2 created

    But why I am able to revisit the page if I have not selected the checkbox. I have tried everything, I have quit the chrome browser. still able to revisit.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    https://us05web.zoom.us/j/86723786925?pwd=TlkrMXhOdjdoNVBwSG9KT3BFOWdFZz09

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    The remember me used by cookies. The angular use access token, it will not delete by browser.

Made with ❤️ on ABP v9.1.0-preview. Updated on November 01, 2024, 05:35