This project has moved and is read-only. For the latest updates, please go here.

SlidingExpiration and SecurityTokenValidatedNotification.AuthenticationTicket

Feb 11, 2015 at 4:33 PM
I'm currently setting the ExpireTimeSpan to 60 minutes, and the Issued/Expires values to only cover the next 60 minutes as well, however the session never lasts 60 minutes even though I have SlidingExpiration set to true.

My understand is that if i'm on the site and actively switching between pages, then i should never be prompted for my login if SlidingExpiration is set to true. That's not true in my case, as at some point the user does get kicked out even if they just performed some activity on the site couple of minutes ago.

My current understanding is that there's a master cookie from the authentication authority that can't be modified by sliding expiration once it's set. Is the SecurityTokenValidatedNotification.AuthenticationTicket the way to access it? If not then what is the difference between using CookieAuthenticationOptions.ExpireTimeSpan and AuthenticationTicket.Properties.IssuedUtc and ExpiresUtc?

The solution in my mind would have the authority cookie expiration set to some absurd length (like 12 hours), and within that the Owin cookie would be set to a reasonable length (60 minutes with sliding expiration, for example). If Owin cookie expires, then user gets to resign in and resets the authority cookie for another 24 hours. If it doesn't expire because user is active then it will expire at 12 hour mark regardless.

Is this even the conceptually correct approach?

Thanks.
Feb 11, 2015 at 5:27 PM
Got an answer from Pinpoint on the Jabbr Owin about the ExpireTimeSpan and AuthenticationTicket.Properties.IssuedUtc.

They are the same way to accomplish same thing:

"You can see IssuedUtc/ExpiresUtc as a way to override the default logic that uses DateTimeOffset.Now + ExpireTimeSpan
When you call SignIn("AuthenticationType"), the default logic is used.
But you can also pass an AuthenticationProperties and set these 2 properties to change the expiration date.
(in practice, you never change IssuedUtc)"

"
Note that by default with OIDC, the ExpireTimeSpan is ignored.
Instead, it uses the same lifetime as the id_token.
(you can set UseTokenLifetime to false to change that)
"
Feb 20, 2015 at 2:11 PM
Can you please share some code ? I've also opened a ticket on StackOverflow
Feb 20, 2015 at 6:30 PM
            app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
            app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
                LoginPath = new PathString("/Users/Index"),
                LogoutPath = new PathString("/Home/Index"),
                SlidingExpiration = true,
                ExpireTimeSpan = new TimeSpan(0, 0, int.Parse(ConfigurationManager.AppSettings["owin:SessionLength"]), 0),
            });
            app.UseOpenIdConnectAuthentication(
                new OpenIdConnectAuthenticationOptions
                {
                    ClientId = ConfigurationManager.AppSettings["owin:ClientId"], //AD application client id
                    Authority = ConfigurationManager.AppSettings["owin:Authority"], //AD
                    Caption = "Please sign in using your proivded credentials.",
                    UseTokenLifetime = false,
                    Notifications = new OpenIdConnectAuthenticationNotifications()
                    {
                        SecurityTokenValidated = notification =>
                        {
                            Trace.WriteLine(String.Format("[{0}] authenticated successfully.", notification.AuthenticationTicket.Identity.Name));

                            try
                            {
                                AddUserClaims(notification.AuthenticationTicket.Identity);
                            }
                            catch (Exception e)
                            {
                                Trace.TraceError("Unable to retreive claims for the authenticated identity. Check DB connection.");
                                e.LogException();
                                throw;
                            }

                            return Task.FromResult(0);
                        },
                        
                        AuthenticationFailed = notification =>
                        {
                            Trace.WriteLine(String.Format("[AuthenticationFailed]"));
                            notification.OwinContext.Response.Redirect(new PathString("/Home/Index").ToUriComponent());
                            notification.HandleResponse();
                            return Task.FromResult(0);
                        },
                        RedirectToIdentityProvider = notification =>
                        {
                            Trace.WriteLine(String.Format("[RedirectToIdentityProvider]"));
                            var context = notification.OwinContext.Environment["System.Web.Routing.RequestContext"] as RequestContext;
                            if (context != null)
                            {
                                if (IsAjaxRequest(notification.Request) || IsJsonRequest(notification.Request))
                                {
                                    Debug.WriteLine("This is an ajax request. Goodbye.");
                                    notification.HandleResponse();
                                    return Task.FromResult(0);
                                }

                                notification.ProtocolMessage.PostLogoutRedirectUri =
                                    notification.Request.Scheme + "://" + notification.Request.Host +
                                    new PathString("/Home/Index").ToUriComponent();

                                notification.ProtocolMessage.Prompt = "login";
                            }
                            return Task.FromResult(0);
                        }
                    }
                });