Open Closed

identity timeout #636


User avatar
0
RonaldR created

Check the docs before asking a question: https://docs.abp.io/en/commercial/latest/ Check the samples, to see the basic tasks: https://docs.abp.io/en/commercial/latest/samples/index The exact solution to your question may have been answered before, please use the search on the homepage.

  • ABP Framework version: v3.3.1
  • UI type: MVC
  • Tiered (MVC) or Identity Server Seperated (Angular): no
  • Exception message and stack trace:
  • Steps to reproduce the issue:
  • When we leave the site inactive for more than 15 minutes or there abouts it loses the identity. if i login then click on a page on the menu, then do nothing for 20 minutes then click on a new menu link, when it tries to rebuild the menus us use CurrentUser in the api to see who it logged in, but there is no user in there.
  • I tried adding this in the TFORMWebModule:
    context.Services.AddAuthentication()
                .AddCookie(options => {
                    options.SlidingExpiration = true;
                    options.ExpireTimeSpan = DateTimeOffset.UtcNow.AddHours(24).Offset;
                })
                .AddJwtBearer(options =>
                {
                    options.Authority = configuration["AuthServer:Authority"];
                    options.RequireHttpsMetadata = false;
                    options.Audience = "TFORM";
                });
        }

The AddJwtBearer was already there, i added the AddCookie setion, but that didnt work.

I alos checked the identity tables the accesstimeout and the identity timeout are all set to 31536000 so they shouldbe be expiring that quickly, i think thats about 8.5 hours, give or take.

so what am i missing?


15 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    For Identity you should configure it by ConfigureApplicationCookie

    https://docs.microsoft.com/en-us/aspnet/core/security/authentication/identity-configuration?view=aspnetcore-5.0#cookie-settings

  • User Avatar
    0
    RonaldR created

    that didnt seem to work either. i mdified the ConfigureAuthenication, removing the last attemot and adding the code you recommended. i am still runing in to the same issue. i started the site, logged in, used the menu and navigated to a page. i left and came back 45 minutes last. the sliding expiratation is set to 12 hours. when i tried to navigate to another page after the 45 minutes, it no longer knew who i was again and my application crashed.

    private void ConfigureAuthentication(ServiceConfigurationContext context, IConfiguration configuration)
    {
        context.Services.AddAuthentication()
            .AddJwtBearer(options =>
            {
                options.Authority = configuration["AuthServer:Authority"];
                options.RequireHttpsMetadata = false;
                options.Audience = "TFORM";
            });
    
        context.Services.ConfigureApplicationCookie(options =>
        {
            options.AccessDeniedPath = "/Identity/Account/AccessDenied";
            options.Cookie.Name = "TFORM";
            options.Cookie.HttpOnly = true;
            options.ExpireTimeSpan = TimeSpan.FromHours(12);
            options.LoginPath = "/Identity/Account/Login";
            // ReturnUrlParameter requires 
            //using Microsoft.AspNetCore.Authentication.Cookies;
            options.ReturnUrlParameter = CookieAuthenticationDefaults.ReturnUrlParameter;
            options.SlidingExpiration = true;
        });
    }
    
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi RonaldR

    I will check it. : )

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    According to the design of Identity cookie authentication, if you do not check Remember me, the cookie life is session. If the browser is closed or it thinks that the session has ended, your cookies will become invalid.

  • User Avatar
    0
    RonaldR created

    so your answer is that there is no way to extend that 15 minute window to allow for a longer time? if i walk away form my desk for 30 minutes for lunch my site dies while i am gone? cant we manually set the ispersistant to keep the cookie or prevent the session from dying?

  • User Avatar
    0
    RonaldR created

    we are also having a new cookie issue (i think it is cookie). we just moved to .net 5 and ver 4.0.0 of abp. what we found when we did this was wheni run the site it works, but if i stop it and restart it from visual studio we get a context already closed exception. after a bunch of playing around and testing i find that if i clear the cookie then i can restart it because it pushed me through the login again. so what it looks like is whe i return to the browser and a session or cookie is still alive from a previous session it fails to work, but if i delete the cookie and i am forced to authenticate then it works fine. have you seen this before?

    I have a ticket for .net conversion, should i ask this question there insstead?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    cant we manually set the ispersistant to keep the cookie or prevent the session from dying?

    Account.Pro module has the same code, you can always set RememberMe to true.

    https://github.com/abpframework/abp/blob/dev/modules/account/src/Volo.Abp.Account.Web/Pages/Account/Login.cshtml.cs#L99

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    I have a ticket for .net conversion, should i ask this question there insstead?

    Yes, Please.

  • User Avatar
    0
    RonaldR created

    ok, lets try this again. i have never had this issue with any other project, so there must be a way that i am just missing. the issue is when we are running in viual studio, in .net 5, our app crashes every 15 minutes when the cookie dies. how do we prevent this? this is causing a lot of problems for us, especially considering it takes a minutes or more to run our app every time because of the discovery process. i know there has to be a way to expect the cookie so that bearer token doesnt disappear. the token is valid for hours, so the fact it fails must be a cookie issue. how can we resolve this?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi @RonaldR

    Can your problem be reproduced using a template project?

  • User Avatar
    0
    RonaldR created

    you want to know if i use your cli to create a new application can i reproduce it?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    Yes

  • User Avatar
    0
    RonaldR created

    ok, so we started with a new project and we added our code in until it broke. here is the line that broke our site. we confirmed it by commenting it out of our site and we are no longer experiancing the 15 minute limit. What i want to know is if there is anything in there we need or are we fine just getting rid of it?

            //context.Services.ConfigureApplicationCookie(options =>
            //{
            //    options.AccessDeniedPath = "/Identity/Account/AccessDenied";
            //    options.Cookie.Name = "TFORM";
            //    options.Cookie.HttpOnly = true;
            //    options.ExpireTimeSpan = TimeSpan.FromMinutes(1200);
            //    options.LoginPath = "/Account/Login";
            //    // ReturnUrlParameter requires 
            //    //using Microsoft.AspNetCore.Authentication.Cookies;
            //    options.ReturnUrlParameter = CookieAuthenticationDefaults.ReturnUrlParameter;
            //    options.SlidingExpiration = true;
            //});
    
  • User Avatar
    0
    RonaldR created

    it did kick me out at an hour, but it redirected me to the login which is wasnt doing before. how do we get to stay logged in for 8 or 10 hours?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    It's related to Remember me

    context.Services.ConfigureApplicationCookie(options =>
    {
        options.ExpireTimeSpan = TimeSpan.FromHours(10);
        
        //options.SlidingExpiration = true;
        //The SlidingExpiration is set to true to instruct the middleware to re-issue a new cookie with a new expiration time any time it processes a request which is more than halfway through the expiration window.
       
    });
    

    With Remember me:

    Without Remember me:

Made with ❤️ on ABP v9.1.0-preview. Updated on December 13, 2024, 06:09