search

abpframework / abp

Open Source Web Application Framework for ASP.NET Core. Offers an opinionated architecture to build enterprise software solutions with best practices on top of the .NET and the ASP.NET Core platforms. Provides the fundamental infrastructure, production-ready startup templates, application modules, UI themes, tooling, guides and documentation.
https://abp.io
GNU Lesser General Public License v3.0
12.27k stars 3.32k forks source link

Allow user to define session timeout #19590

Closed ebicoglu closed 1 week ago

ebicoglu commented 2 weeks ago

Users can set this via SetAccessTokenLifetime, SetIdenityTokenLifetime. But it would be good if we give an interface to set this with an option. I got a feedback from a developer

image

maliming commented 1 week ago

Cookies authentication(Identity):

SlidingExpiration The SlidingExpiration is set to true to instruct the handler to re-issue a new cookie with a new expiration time any time it processes a request which is more than halfway through the expiration window.

ExpireTimeSpan
Controls how much time the authentication ticket stored in the cookie will remain valid from the point it is created. The expiration information is stored in the protected cookie ticket. Because of that an expired cookie will be ignored even if it is passed to the server after the browser should have purged it. This is separate from the value of Expires, which specifies how long the browser will keep the cookie.

See https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity-configuration#cookie-settings

Tokens authentication:

Setting Tokens Lifetime: https://docs.abp.io/en/abp/latest/Modules/OpenIddict#setting-tokens-lifetime