I have an application ASP.Net Webforms with . Net Framework 4.7.2 in which we implement authentication via OKTA. When the user accesses the pages or tries to perform an action such as storing information we check if the user is Authenticated and if so we get from the claims the mail to search for information in our database.
To check if the user is authenticated we use the HttpContext.Current.Request.IsAuthenticated method, but after a few minutes this method returns False even when the user remains Authenticated, by detecting that “it is not authenticated” the application redirects the user to the main page of the application, and if the user accesses another page of the application, the HttpContext.Current.Request.IsAuthenticated method now returns True because the user was always Authenticated
It is obvious that I am not an expert and I do not know if what is happening is that cookies are deleted or something similar, it should be mentioned that this behavior occurs after several minutes but never after the same number of minutes, ie it may happen 5, 10, 20 minutes after the user successfully authenticated.
Annex part of the code used for OKTA implementation
Startup Class
Snippet
using Microsoft.IdentityModel.Logging;
using Microsoft.Owin; using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Okta.AspNet;
using Owin;
using System;
using System.Collections.Generic;
using System.Configuration;
using System.Net;
public class Startup
{
public void Configuration(IAppBuilder app)
{
// For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=316888
ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls
| SecurityProtocolType.Tls11
| SecurityProtocolType.Tls12
| SecurityProtocolType.Ssl3;
IdentityModelEventSource.ShowPII = true;
string redirectURL;
string logoutURL;
string _oktaDomain;
string _clientID;
string _clientSecret;
string _authServer;
_oktaDomain = ConfigurationManager.AppSettings["okta:OktaDomain"];
_clientID = ConfigurationManager.AppSettings["okta:ClientId"];
_clientSecret = ConfigurationManager.AppSettings["okta:ClientSecret"];
_authServer = ConfigurationManager.AppSettings["okta:AuthorizationServerId"];
redirectURL = ConfigurationManager.AppSettings["okta:RedirectUri"];
logoutURL = ConfigurationManager.AppSettings["okta:PostLogoutRedirectUri"];
CookieAuthenticationOptions lclCookieAuthenticationOptions = new CookieAuthenticationOptions();
lclCookieAuthenticationOptions.CookieSameSite = SameSiteMode.None;
lclCookieAuthenticationOptions.CookieSecure = CookieSecureOption.Always;
app.UseKentorOwinCookieSaver();
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(lclCookieAuthenticationOptions);
app.UseOktaMvc(new OktaMvcOptions()
{
OktaDomain = _oktaDomain,
ClientId = _clientID,
ClientSecret = _clientSecret,
AuthorizationServerId = _authServer,
RedirectUri = redirectURL,
PostLogoutRedirectUri = logoutURL,
GetClaimsFromUserInfoEndpoint = true,
Scope = new List<string> { "openid", "profile", "email" },
});
}
}
Global.asax
Snippet
using Microsoft.IdentityModel.Protocols.OpenIdConnect;
using System;
using System.Web;
public class Global_asax : System.Web.HttpApplication {
void Application_Start(object sender, EventArgs e) {
DevExpress.Web.ASPxWebControl.CallbackError += new EventHandler(Application_Error);
DevExpress.Security.Resources.AccessSettings.DataResources.SetRules(
DevExpress.Security.Resources.DirectoryAccessRule.Allow(Server.MapPath(“~/Content”)),
DevExpress.Security.Resources.UrlAccessRule.Allow()
);
}
void Application_End(object sender, EventArgs e) {
// Code that runs on application shutdown
}
void Application_Error(object sender, EventArgs e) {
// Code that runs when an unhandled error occurs
//using Microsoft.IdentityModel.Protocols.OpenIdConnect;
//using System.Web;
var ex = HttpContext.Current.Server.GetLastError();
// We often see invalid nonce errors where user's the ID token has a nonce, but the validation context does not.
// This is a hack solution to hopefully fix that. We simply re-challenge the client, which should bounce them through auth and back with a proper nonce.
// It's possible this could end up in a redirect loop. If we start seeing errors to that effect, we should try to detect when we've done this once, and stop.
if (ex is OpenIdConnectProtocolInvalidNonceException)
{
var context = HttpContext.Current.GetOwinContext();
context.Authentication.Challenge();
return;
}
}
void Session_Start(object sender, EventArgs e) {
// Code that runs when a new session is started
}
void Session_End(object sender, EventArgs e) {
// Code that runs when a session ends.
// Note: The Session_End event is raised only when the sessionstate mode
// is set to InProc in the Web.config file. If session mode is set to StateServer
// or SQLServer, the event is not raised.
}
}
In the web.config add this