5
votes

Background

I have a semi-single-page application (all server interaction after login takes place on one page via ajax calls) that uses both session storage and OWIN cookie authentication. Both session and cookie expiration are set to 15 minutes and the cookie is configured to use sliding expiration.

On every server interaction, a timer on the client is reset back to 15 minutes. If no activity is recorded for 14 minutes, a modal is displayed with a ticker alerting the user that the session will timeout soon.

Issue

We are running into an issue where in certain cases our session is outliving the OWIN cookie.

Per the CookieAuthenticationOptions class:

The SlidingExpiration is set to true to instruct the middleware to re-issue a new cookie with a new expiration time any time it processes a request which is more than halfway through the expiration window.

We have the scenario where users use the application prior to "half way through the expiration window”, then let the application sit idle for a few minutes. When the users see the session expiration notification, they try to renew their sessions. But since the OWIN cookie was never renewed, the app times out and redirects them to the login page (prematurely based on what the expiration notification says).

This support article illustrates our situation exactly:

Let us take an example: If the logon page is accessed at 5:00 00:00:00 PM, it should expire at 5:10 00:00:00 PM if the timeout attribute is 10 and the slidingExpiration attribute is set to TRUE. Now, if any Web page is browsed again at 5:05 00:00:00 PM, the cookies and ticket time-out period will be reset to 5:15 00:00:00 PM.

Note If the Web page is accessed before half of the expiration time passes, the ticket expiration time will not be reset. Fore example, if any Web page is accessed again at 5:04 00:00:00 PM, the cookies and ticket timeout period will not be reset.

Question/Comments

Has anyone ever run into this before? How do we avoid it? Adjusting the OWIN timeout only prolongs the issue.

I can't help to think that this is either a terrible design flaw in the OWIN framework, OR we are not using it correctly.

Any help is appreciated. Thanks.

1
Are you using an auth provider by chance?Stinky Towel
Yes, Microsoft.Owin.Security.Cookies.CookieAuthenticationProvider with some simple logic to inject some claims in the "OnValidateIdentity" method.user6479749
Can you edit your post with your cookie auth code?Stinky Towel

1 Answers

2
votes

The solution we ended up implementing was a work-around with our keep-alive logic. I really wish they would have implemented the "sliding expiration" in more of a traditional sense, but this will have to do for now.

Solution:

Only send keep-alive requests to the server until AFTER half of the OWIN cookie life passes. When the keep-alive is sent, the cookie will be renewed and this keeps the session and cookie timeout in sync.