IdentityServer4 how to set server cookie expiration

6
votes

So far I've seen how to set expiration for the client webapp's cookie (thank you v0id): IdentityServer4 cookie expiration

There are actually two cookies used by IdentityServer4 - the client cookie and server cookie ("idsrv").

If I set the client cookie expiration as given here: IdentityServer4 cookie expiration then when I close the browser and go back to a client webapp page where I need to be authorized, I get access denied because the browser session no longer has the server cookie.

So I need a way to set the "idsrv" cookie expiration to be the same as the client.

Currently, the best way I see to set the server cookie (it is being ignored or dropped somehow) is the following code block in the IdentityServer4 host Startup.cs / ConfigureServices() method:

services.AddIdentityServer(options =>
            {
                options.Authentication.CookieLifetime = new TimeSpan(365, 0, 0, 0);
                options.Authentication.CookieSlidingExpiration = true;
            })

That should set the cookie's expiration to one year later. However, in Chrome developer tools under the Application tab, cookies, I see that it still has an expired expiration default date in 1969.

I downloaded the IdentityServer4 project source, removed the nuget package, and added the source project to my solution so I could debug through it.

I see that it gets the expiration I gave it in the ConfigureInternalCookieOptions.cs / Configure() method. It's matching the DefaultCookieAuthenticationScheme inside as well / applying the properties. I haven't found anything specific to IdentityServer that would ignore the expiration date I've set, but it still has the 1969 expiration.

Edit: I've attempted to set the cookie persistent in the IdentityServer host's AccountController as follows (interestingly enough, Microsoft has a good article around using authenticationproperties without using AspNet Identity here: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/cookie?tabs=aspnetcore2x - it is sending information in a cookie, "scheme" is just the cookie name): In the ExternalLoginCallback():

if (id_token != null)
        {
            props = new AuthenticationProperties();
            props.ExpiresUtc = DateTimeOffset.UtcNow.Add(AccountOptions.RememberMeLoginDuration);
            props.IsPersistent = true;
            props.StoreTokens(new[] { new AuthenticationToken { Name = "id_token", Value = id_token } });
        }

None of the server side cookies have their expiration set (the AccountOptions RememberMeLoginDuration is also set to 365 days). Both "idsrv" and "idsrv.session" still have a 1969 expiration.

2
cookiesidentityserver4
were you actually able to find a solution for this? I am experiencing the same.... - Leon
solved the issue (at least in my case) - are you using their sample "Quickstart" UI login page? - Leon
@JakeJ how are you getting id_token? - prisar

2 Answers

4
votes

You can configure Identity Server's authentication cookie lifetime when you register Identity Server in your Startup.cs, like this:

services.AddIdentityServer(options =>
{
    options.Authentication.CookieLifetime = TimeSpan.FromHours(10);
})

Note: you also need to indicate that the cookie should be persistent when logging the user in. If you're using the Quickstart UI, then you have to tick the "Remember me" checkbox on the login screen to get a persistent cookie. Or you can modify the code to always issue a persistent cookie - something like this:

HttpContext.SignInAsync(subject, name, new AuthenticationProperties{ IsPersistent = true});
0
votes

I set the IdentityServer cookie configuration by using the following code. When I then store the cookie via (rememeber me) option in IdentityServ

 // Set identity cookie options
 services.ConfigureApplicationCookie(options =>
 {
     options.ExpireTimeSpan = TimeSpan.FromDays(30);
     options.SlidingExpiration = true;
     options.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.SameAsRequest;
 });