AspNetCore: OpenId Cookies always show expires=1969-12-31 even with IsPersistent=true and ExpireTimeSpan set

[sathiathirumal]

Using ASPNETCORE OpenId authentication middleware and Cookie middleware. I always see that cookies from OpenId authentication are set to expire at 1969-12-31 (in Chrome debugger). I assume this means the cookies are SESSION cookies; I want to make them persistent cookies so the user will be prompted to login less frequently. So I added the ExpireTimeSpan and IsPersistent=true as suggested in other posts, but I still see that my cookie Expires is 1969-12-31.

What am I doing wrong?

        services.AddAuthentication(options =>
        {
            options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
            options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        })
        .AddAzureAd(options =>
        {
            Configuration.Bind("AzureAd", options);
        })
        .AddCookie(p =>
        {
            p.ExpireTimeSpan = TimeSpan.FromDays(30);
            p.SlidingExpiration = true;
        });

        services.Configure<AuthenticationProperties>(props =>
        {
            props.IsPersistent = true;
            props.ExpiresUtc = new DateTimeOffset(DateTime.Now, TimeSpan.FromDays(30));
        });

[Tratcher]

Configure<AuthenticationProperties> is not a thing. Where do you call challenge?

[sathiathirumal]

@Tratcher - I dont invoke the challenge directly, I am assuming it occurs indirectly via the [Authorize] attribute? re: Configure<AuthenticationProperties>, I couldnt find any other way to override the IsPersistent value to true as I dont invoke Sigin(...) directly.

[Tratcher]

How about setting it in CookieAuthOptions.Events.SigningIn?

You could also make the DefaultChallengeScheme Cookies, have it redirect to a login page, and then explicitly challenge OIDC from there with AuthProperties.

Note IsPersistent should only be set based on user request like "Remember Me". It should not always be on or you risk leaking credentials on shared machines.

Also, don't set props.ExpiresUtc, Cookies will do that for you.

[sathiathirumal]

Awesome, thanks @Tratcher . Your first suggestion did the trick. I also implemented a Logout page (call to AuthenticationHttpContextExtensions.SignOutAsync(HttpContext)) to give the user more control over cookie lifetimes.

        .AddCookie(p =>
        {
            p.SlidingExpiration = true;
            p.Events.OnSigningIn = (context) =>
            {
                context.CookieOptions.Expires = DateTimeOffset.UtcNow.AddDays(30);
                return Task.CompletedTask;
            };
        });

[syska]

@sathiathirumal

Did this work for you? I have an issue where users it being logged out halvway though the session ( Expiration from ADFS is 8 hours ) and then OnSignedIn is being called again ...

So a little in doubt if "false" here is default ... and I hope setting this to "true" will fix my problem ...

[sathiathirumal]

@syska

Yes this does work for me. IsPersistent is false as per Tratcher. I am using the exact block of code as i pasted above, everything else is default values.

[syska]

@sathiathirumal

Deplyoed an update to the site yesterday including lots of logging about to see whats actually going on ... and an Expires of 8 hours ...

Should be able to see if users still gets logged out after 4 hours ...