SignalR and ASP.NET Identity ExpireTimeSpan

4
votes

I am using ASP.NET Identity with cookie based authentication. I am setting the ExpireTimeSpan on the CookieAuthenticationOptions class to control how much time of inactivity is allowed before the user has to log in again.

This all works fine, but when I add SignalR to the application the user no longer has to log-in after a period of inactivity. SignalR does a "ping" request periodically and I presume it is this that causes the cookie expiry to be extended.

I am looking for a way to not renew the cookie expiry for the SignalR URLs.

I have looked into some of the code in Microsoft.Owin.Security.Cookies and the CookieAuthenticationHandler class in particular. There is logic in the AuthenticateCoreAsync method to decide if to renew the cookie. However, the CookieAuthenticationHandler class in internal so I can't override this method.

Any ideas if there is a hook I can use to do this?

1
signalrasp.net-identity
Did you figure it out ?WebDever
Afraid not. I tried suppressing cookies in a HTTP module for the Signal R requests, but no joy.DownChapel

1 Answers

0
votes

We solved at my company by removing the cookies from the signalr response, using an HttpModule.

public class NoFormsAuthenticationModule : IHttpModule
{
    public void Init(HttpApplication context)
    {
        context.PreSendRequestHeaders += OnPreSendRequestHeaders;
    }

    protected void OnPreSendRequestHeaders(object sender, EventArgs e)
    {
        var httpContext = ((HttpApplication)sender).Context;

        var path = httpContext.Request.Path;

        var noAuthentUrls = new string[] { "/signalr/" };

        foreach (var url in noAuthentUrls)
        {
            var noAuthentication = path.IndexOf(url, StringComparison.OrdinalIgnoreCase) > -1;

            if (noAuthentication)
                httpContext.Response.Cookies.Remove(FormsAuthentication.FormsCookieName);
        }            
    }

}

Hope it helps you.

Dont forget to add the entries on the web.config:

< system.web>
< httpModules> < add name="NoFormsAuthenticationModule" type="Site.Components.HttpModules.NoFormsAuthenticationModule"/>

< system.webServer> < modules runAllManagedModulesForAllRequests="true">
< add name="NoFormsAuthenticationModule" type="Site.Components.HttpModules.NoFormsAuthenticationModule"/>

...