Asp net core 3.1 Session never expires

0
votes

I have tried everything I found on StackOverflow but I still cannot manage for Session (contents) to be expired automatically.

I've tried:

I do not access Session data (set,get) on ajax calls, so this cannot increase session expiration automatically.

It was so easy/trivially in old AspNet MVC - worked as expected immediately.

And all I do I store custom login (data) into Session and expect Session to drop after, say 20 minutes of user's inactivity. But this never happens.

Any ideas?

EDIT: Cookies

 lb_commonator=ffffffff0972280045525d5f4f58455e445a4a423660; crowd.token_key=7qN9z4UYR3tCjYdronwmOw00; .AspNetCore.Antiforgery.tYkxYH7Bg6I=CfDJ8OahW8JbNMdPv78xOmnUC6BtivuFvWy4RhYaN0oRtiUvkLpVtHLxgQaQOS1RTNqT8E0LaobeaNdLIhhoy4z4qSJleqiK2QJTWEptEDFAITNCTdh03AIqcd0mBL0FZeFcr5GalTfqiNahST7eUL7Wnpg; .AspNetCore.Session=CfDJ8OahW8JbNMdPv78xOmnUC6Cwi2HZVPs93%2Bohf8c%2BvQ1hWZVHeu54cwkg8PND41KXN1F%2BeAOSnTnkiT3RAGb3mPQjLRMpcq1x9f5KFrgegRRoEDHx%2FgEknhSOo8yCfKp1srlrzTWUtpUF8tsFKn1JwPLI9fHT77SGscSkTMrsueYr

EDIT 2 (IdleTimeout and ExpireTimeSpan have no effect at all):

    // Add session
    // Add session
    // Add session
    services.AddSession();

    // TESTING: TODO:
    // TESTING: TODO:
    // TESTING: TODO:
    //services.AddSession(options =>
    //{
    //    options.IdleTimeout = TimeSpan.FromSeconds(10);
    //});
    //services.ConfigureApplicationCookie(options =>
    // {
    //     options.SlidingExpiration = true;
    //     options.ExpireTimeSpan = TimeSpan.FromSeconds(10);
    // });

EDIT 3:

enter image description here

1
asp.net-coreasp.net-core-3.1
Could you provide session cookie properties in browserIlnar Gabidullin
Yes I will, tomorrow.sabiland
I means properties from developer tools ![enter image description here](i.stack.imgur.com/A1tYP.png)Ilnar Gabidullin
After some testing it seems, that session expires normally after (default) 20 minutes. I was just not able to change default time (20 minutes).sabiland

1 Answers

0
votes
// TESTING: TODO:
// TESTING: TODO:
// TESTING: TODO:
//services.AddSession(options =>
//{
//    // session data experation in storage
//    // for example, if you use redis, this will add ttl 10 secs
//    // for data in redis, but no influence to cookie lifitime
//    options.IdleTimeout = TimeSpan.FromSeconds(10);
//    // this will affect on cookie liftime in browser
//    // if you do not set it, cookie will be Session
//    // and expire when you close your browser
//    options.Cookie.MaxAge = TimeSpan.FromHours(1);
//});

enter image description here

EDIT:

  1. To refresh existing session cookie you will need to track cookie creation time for example in session data and reset cookie in middleware

         app.Use(async (context, next) =>
     {
         string sessionCookie;
         if (/*add here expiration check &&*/ context.Request.Cookies.TryGetValue("SessionCookieName", out sessionCookie))
         {
             context.Response.Cookies.Append("SessionCookieName", sessionCookie, new CookieOptions
             {
                 MaxAge = TimeSpan.FromSeconds(10),
                 HttpOnly = true,
                 SameSite = SameSiteMode.Lax,
                 Path = "/"
             });
         }
         await next.Invoke();
     });

  2. Or you also can write middleware that handle session cookie sliding expiration (expiration time may be added to cookie data) instead default Session middleware. Default implementation is here.

  3. I do not know what kind of task are you solving, but I think the following configuration is enough:

     services.AddSession(options =>
 {
    options.IdleTimeout = TimeSpan.FromSeconds(10);
 });

It will invalidate your session data in 10 seconds (cookie may still be alive), and it provide sliding expiration for session data.