How to control when user gets re-challenged

efinch · August 2, 2021, 5:43pm

We have an ASP.Net web application that uses the login widget. After the user logs in successfully, we have a “keep alive” that hits our web server every few minutes to make sure the ASP.Net Session does not expire if the user stays on a single page for too long. After about an hour, the “keep alive” request starts returning a redirect to our widget page, instead of the 200 OK response that we got for the first hour. I know that the Okta session is still active, because if we redirect to the login widget, the user is automatically logged back into our application without having to re-enter credentials. What causes requests to our website to get challenged after the user has already logged in and can I control it to automatically extend, like ASP.Net Session timeout extends each time the web server handles a request?

andrea · August 3, 2021, 8:34pm

Is this an OIDC application?

My first thought is that users are being prompted to re-authenticate due to their tokens expiring (they tend to have a default lifetime of 1 hour).

efinch · August 3, 2021, 8:50pm

Yes, we use OIDC with Owin. Is there a way for us to extend this expiration time a little every time our application gets another request, like the way Session has sliding expiration that is extended each time the application gets another request?

efinch · August 4, 2021, 1:59pm

I think I found the settings to enable this. Does this sound like it will do the trick?

            var cookieOptions = new CookieAuthenticationOptions
            {
                SlidingExpiration = true,
                // default ExpireTimeSpan seems to be 14 days, so want to override that
                ExpireTimeSpan = this.CookieExpireTimeSpan,
            };

            app.UseCookieAuthentication(cookieOptions);

            var options = new OpenIdConnectAuthenticationOptions
            {
// must set UseTokenLifetime to false to enable SlidingExpiration 
                UseTokenLifetime = false,
            };
            app.UseOpenIdConnectAuthentication(options);

andrea · August 5, 2021, 3:47pm

I’m not fully certain on what is causing the problem, so I don’t know if changing the OWIN session cookie lifetime will help or not.

What happened when you tried that out?

efinch · August 5, 2021, 4:34pm

Yes, this worked. Previously, we were using the default value of UseTokenLifetime, which prevents sliding expiration from working.

system · August 6, 2021, 4:35pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.