There is a documentation page
System.Web response cookie integration issues
that proposes to use
as a workaround. However,
has a major issue.
How to reproduce the issue:
- On dev machine setup any timezone between UTC +1 and +12
- Setup cookie authentication and specify
ExpireTimeSpan for the
CookieAuthenticationOptions to 10 minutes
- Try to sign in with persistent cookie
Actual result: server makes a response with already expired authentication cookie.
For example, if you are in UTC +2 timezone and it's 12:00 on your machine, then you will receive .AspNet.Cookie cookie with Expires equal to 8:10, instead of 10:10
Why it happens:
In the CookieAuthenticationHandler.ApplyResponseGrantAsync method there is the following code:
DateTimeOffset expiresUtc = signInContext.Properties.ExpiresUtc ?? issuedUtc.Add(Options.ExpireTimeSpan);
signInContext.CookieOptions.Expires = expiresUtc.ToUniversalTime().DateTime;
Even though, expiresUtc is a UTC time, the result of
with Kind equals to
. That's why Expires is converted to UTC twice.
In order fix it, SystemWebCookieManager need to be updated. Instead of
cookie.Expires = options.Expires.Value;
there must be
cookie.Expires = DateTime.SpecifyKind(options.Expires.Value, DateTimeKind.Utc);