AspNetKatana: OpenIdConnect terminates the session in 5 minutes
We have ASP.NET app hosted in Azure, using CookieAuthentication. When user logs in, session stays valid (possibly hours or days, we haven’t measured exactly).
When we add OpenIdConnectAuthentication, the session gets terminated after 5 minutes of inactivity.
It is not necessary to use that OpenIdConnect to login. Even if user has used cookie based login, after 5 minutes of inactivity, the next request gets redirected to RedirectToIdentityProvider notification handler of OpenIdConnect, but at that time, the user session is already gone.
ASP.NET is using version 4.8, Owin libraries have version 4.2.2.
Is there any settings, which would make that session to last longer? Or settings, where OpenIdConnect would not interfere at all with sessions, it does not own?
About this issue
- Original URL
- State: closed
- Created a year ago
- Comments: 21 (10 by maintainers)
Hi @Tratcher ,
sorry for the delay, but I have now isolated repro for you on following repository: https://github.com/tomburger/aspnet-auth-sample
Just clone it, open solution in
srcfolder and run it in Visual Studio. It has a login screen and there are four users available, ringo@beat.les, john@…, paul@… and george@…, password “LetItBe” for all four of them. After login there are two pages and you can navigate between them with button. If you wait for 5 minutes and then you click the button, you will be logged out and redirected back to login screen.If you go to file
src\App_Start\Startup.Auth.csand comment out OIDC part (lines 25-79), then logout after 5 minutes is not happening.Please, notice that you are still using cookie authentication, the difference is only the call to
UseOpenIdConnectAuthentication. If you call it, your session is terminated after 5 minutes, if you do not call it, it will stay valid much longer.Feel free to ask more questions, or send me the pull request, if you know how to fix it. We can keep the repo then as a reference for generations to come 😉