How to control when user gets re-challenged

We have an ASP.Net web application that uses the login widget. After the user logs in successfully, we have a “keep alive” that hits our web server every few minutes to make sure the ASP.Net Session does not expire if the user stays on a single page for too long. After about an hour, the “keep alive” request starts returning a redirect to our widget page, instead of the 200 OK response that we got for the first hour. I know that the Okta session is still active, because if we redirect to the login widget, the user is automatically logged back into our application without having to re-enter credentials. What causes requests to our website to get challenged after the user has already logged in and can I control it to automatically extend, like ASP.Net Session timeout extends each time the web server handles a request?

Is this an OIDC application?

My first thought is that users are being prompted to re-authenticate due to their tokens expiring (they tend to have a default lifetime of 1 hour).

Yes, we use OIDC with Owin. Is there a way for us to extend this expiration time a little every time our application gets another request, like the way Session has sliding expiration that is extended each time the application gets another request?

I think I found the settings to enable this. Does this sound like it will do the trick?

            var cookieOptions = new CookieAuthenticationOptions
            {
                SlidingExpiration = true,
                // default ExpireTimeSpan seems to be 14 days, so want to override that
                ExpireTimeSpan = this.CookieExpireTimeSpan,
            };

            app.UseCookieAuthentication(cookieOptions);

            var options = new OpenIdConnectAuthenticationOptions
            {
// must set UseTokenLifetime to false to enable SlidingExpiration 
                UseTokenLifetime = false,
            };
            app.UseOpenIdConnectAuthentication(options);

I’m not fully certain on what is causing the problem, so I don’t know if changing the OWIN session cookie lifetime will help or not.

What happened when you tried that out?

Yes, this worked. Previously, we were using the default value of UseTokenLifetime, which prevents sliding expiration from working.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.