aspnetcore: Clarify behavior of CookieAuthenticationOptions.Cookie.Expiration
https://github.com/aspnet/Security/pull/1285 added CookieAuthenticationOptions.Cookie.Expiration
, a nullable TimeSpan
, but we still have CookieAuthenticationOptions.ExpireTimeSpan
. Cookie.Expiration is ignored. We should clarify what Cookie.Expiration is meant to do and how it interacts with ExpireTimeSpan
About this issue
- Original URL
- State: closed
- Created 7 years ago
- Reactions: 1
- Comments: 18 (16 by maintainers)
@RickBlouch It’s funny you compare it to Session as that has most of the same issues but possibly worse. A) Setting the cookie expiration violates the definition of a session cookie. Cookies with explicit expiration will not be cleared when the browser is closed. B) Session has no sliding expiration implementation for its cookie. Your cookie will always expire in the specified two minutes regardless of user activity. Session only has sliding expiration for the server cache.
Prior to 2.0 there was no way to set the Session cookie expiration. It was only added because it was part of the shared CookieBuilder infrastructure and we weren’t sure it was worth blocking. Now I think the sliding expiration issue makes it worth blocking.
And no, you cannot directly control the auth cookie’s expiration value without enabling IsPersistent (per login). That’s because you’re supposed to get user consent before persisting auth cookies beyond the current browser session (e.g. “remember me”).