Identity server 4 session/cookie related questions

4
votes

I have two session related questions

  • Server: Identity server 4 with .net47 and asp.net core2.
  • Client: OpenId connect and implicit flow.

First question Are there any security concerns, if IdentityServer.CookieLifetime is set too long?, such as 6 hours. IdentityServer.CookieLifetime option is used to set the authentication cookie lifetime. For example, my sample code shows authentication cookie lifetime is set to 6 hours. Therefore,users do not have to enter password for 6 hours.

Second question If we want to keep the authentication cookie lifetime shorter and slide the cookie (enable CookieSlidingExpiration), does it work with openid connect silent refresh? Because, the silent refresh keep refresh the page when the current token is about expire. Will the silent refresh trigger cookie sliding forever? any suggestions, thank you 

 services.AddIdentityServer(options => {
 options.Authentication.CookieLifetime TimeSpan.FromSeconds(21600); //6 hours 
 options.Authentication.CookieSlidingExpiration = false

                    ...}
1
securityidentityserver4openid-connect

1 Answers

0
votes
  1. You shouldn't worry about a cookie lifetime of 6 hours; in fact the default is 10 hours. Where you want to be careful is with the lifetime of your tokens. I typically have my access tokens last an hour and use a refresh token to refresh the tokens so the end users are not forced to re-authenticate every hour. However, I am working with MVC clients and not JavaScript clients.
  2. There is an Identity Token lifetime you can set on your client along with a UseTokenLifetime property, which is disabled by default. If you want this to be client specific I would recommend using these two properties to set your expiration. However, with your sliding expiration on the cookie, if the 6 hours has lapsed it will not slide and therefore expire. Plus you are not creating a new cookie until it is half expire anyways.

I hope this helped! Good luck!