Open Closed

Redirect to login page after 30 minutes of inactivity #3772


User avatar
0
trannguyenphucanh created
  • ABP Framework version: v5.3.3
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): yes
  • Exception message and stack trace:
  • Steps to reproduce the issue:"

Hi, I would like to know if there's a way to redirect user to the login page after 30 minutes of inactivity. Below is the configuration suggested from older topics that I've implemented for HostModule:

.AddCookie("Cookies", options =>
{
    options.ExpireTimeSpan = TimeSpan.FromSeconds(1800);
    options.SlidingExpiration = true;
});
context.Services.ConfigureApplicationCookie(options =>
{
    options.Cookie.SameSite = SameSiteMode.Unspecified;
});

And IdentityServerDataSeedContributor:

ClientName = name,
ProtocolType = "oidc",
Description = name,
AlwaysIncludeUserClaimsInIdToken = true,
AllowOfflineAccess = true,
AbsoluteRefreshTokenLifetime = 1800, //30 minutes
AccessTokenLifetime = 1800, //30 minutes
SlidingRefreshTokenLifetime = 300,
AuthorizationCodeLifetime = 300,
IdentityTokenLifetime = 300,
RequireConsent = false,
FrontChannelLogoutUri = frontChannelLogoutUri,
RequireClientSecret = requireClientSecret,
RequirePkce = requirePkce

The above configuration didn't make the site logout, even if I closed the browser or left it inactive.

When I add the code as below, the site does log-out after the token expired, but it doesn't solve the problem as while user is browsing, it still redirects to the login page no matter what.

context.Services.ConfigureApplicationCookie(options =>
    {
        options.Cookie.SameSite = SameSiteMode.Unspecified;
        options.ExpireTimeSpan = TimeSpan.FromSeconds(1800);
        options.SlidingExpiration = true;
    });
context.Services.Configure<SecurityStampValidatorOptions>(options => options.ValidationInterval = TimeSpan.FromSeconds(1800));

Could you take a look at it?


3 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    You can cancel the changes of IdentityServerDataSeedContributor.

    context.Services.Configure<SecurityStampValidatorOptions>(options => options.ValidationInterval = TimeSpan.FromSeconds(10));
    

    https://www.jamessturtevant.com/posts/ASPNET-Identity-Cookie-Authentication-Timeouts/

  • User Avatar
    0
    trannguyenphucanh created

    Hi maliming,

    I've changed SecurityStampValidatorOptions as you suggestion as well as set IdentityServerDataSeedContributor to default as below:

                            ClientName = name,
                            ProtocolType = "oidc",
                            Description = name,
                            AlwaysIncludeUserClaimsInIdToken = true,
                            AllowOfflineAccess = true,
                            AbsoluteRefreshTokenLifetime = 31536000, //365 days
                            AccessTokenLifetime = 31536000, //365 days
                            AuthorizationCodeLifetime = 300,
                            IdentityTokenLifetime = 300,
                            RequireConsent = false,
                            FrontChannelLogoutUri = frontChannelLogoutUri,
                            RequireClientSecret = requireClientSecret,
                            RequirePkce = requirePkce,
                            AccessTokenType = (int) AccessTokenType.Reference
    

    Unfortunately, nothing happened.

    I read the article you suggested, it's OK but still doesn't really help as SecurityStampValidatorOptions and ExpireTimeSpan are only able to re-issue when a request is made after halfway through the interval. What if the last request is made before of that?

    I also did some research about token here, but it seems to be not applicable in my case. So until now, it's all about trial and error.

    As I tested, the only 2 properties that actually affect to token's expiration are AccessTokenLifetime and AbsoluteRefreshTokenLifetime. Here are the steps:

    1. Set options.ExpireTimeSpan = TimeSpan.FromSeconds(10); to make sure the page will log-out after refresh token expires.
    2. Set AccessTokenLifetime and AbsoluteRefreshTokenLifetime = 60s.
    3. First, the access token will be issued when user logged-in with expires_in = 60.
    4. After that, the refresh token is issued with the same expiration time. Then 60s later, the site automatically redirects to login page, regardless of whether the user is inactivity or not.
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Can you create a template project like your type and share it with me? liming.ma@volosoft.com

Made with ❤️ on ABP v9.1.0-preview. Updated on December 13, 2024, 06:09