Enable both sliding and absolute expiration for cookie authentication


The current Microsoft.Owin.Security.Cookies middleware lets you select from either sliding or absolute expiration. It would be nice to allow for both - a short sliding expiration to handle timing out inactive users, but also an absolute expiration to handle maximum allowed session length before requiring re-authentication.

The only way to handle this currently is outlined in this blog article - modifying the cookie authentication provider to add custom data for the absolute expiration and having it enforced there.

It would be nice to have first-class support for this rather than having to hack it in every time.
Closed Mar 2 at 9:43 PM by mgirgin


Tratcher wrote Oct 29, 2015 at 3:32 PM

FYI: Development of this component has moved to github.com/aspnet/security

tillig wrote Oct 29, 2015 at 4:27 PM

tillig wrote Oct 29, 2015 at 4:30 PM

You may want to update the "project site" for the Microsoft.Owin.Security.Cookies package to point to the GitHub repo. It's hard to tell that dev has moved.