Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to set session expiration #1540

Closed
paalandreassen opened this issue Jan 15, 2025 · 3 comments
Closed

How to set session expiration #1540

paalandreassen opened this issue Jan 15, 2025 · 3 comments
Labels
IdentityServer

Comments

@paalandreassen
Copy link

Which version of Duende IdentityServer are you using?
IdentityServer 7.0.6 (business license)
BFF 2.2.0

Which version of .NET are you using?
.NET 8

Describe the bug

We are using IdentityServer 7 with BFF on a React SPA line-of-business application. It uses the authorization code auth flow with PKCE and server side sessions.

Both login and logout (with back channel) works just fine, even with running multiple replicas of both frontend, IdentityServer and BFF on a Kubernetes cluster.

The only issue is that we the user sessions to expire after X hours of inactivity. Seems like with the default settings a user session lasts about 14 days of inactivity before you are prompted to login again. So even over the Christmas holiday several users did not have to login, they could just refresh the browser and continue where they left off.

There are a multitude of Lifetime and Expiration settings to fiddle with. But we are having a hard time finding the correct one(s) to change.

  • We tried to set expiration on the cookie that BFF sends the client, but it seems to be overwritten regardless of what we set. Even if we set an absolute expiration it appears in Chrome as a session cookie that apparently now lasts forever.
  • We tried to change the expiration on the token that BFF and IdentityServer use without any luck.
  • We tried changing the AccessTokenLifetime and IdentityTokenLifetime setting on the Client definition.

Can you please help with what settings we need to change so that user is required to re-login after X hours of inactivity (i.e. a sliding expiration). We really want the user to be automatically logged out when leaving for the day and having to login again the next day.

Expected behavior

Good documentation on how to achieve sliding expiration for X hours on user sessions would be appreciated as this is most likely a quite common requirement for LOB apps.
@RolandGuijt
Copy link

The session cookie is what defines the user session. So the lifetime of that is determining the lifetime of the user session.
Important to understand here is that there are two session cookies in a BFF scenario:

  • A session cookie set by the BFF
  • A session cookie set by IdentityServer

When the BFF cookie expires and there's still a valid IdentityServer session cookie this will happen:

  • The BFF login endpoint is called by the SPA
  • The BFF will send a request to the authorization endpoint of IdentityServer
  • IdentityServer will get IdentityServer's session cookie
  • Since it is still valid, IdentityServer will skip the login page and issue the tokens straight away
  • Upon receiving the tokens the BFF will create a new session and thus a new session cookie

So to control this the cookie configuration on IdentityServer is key.

@RolandGuijt
Copy link

@paalandreassen Did my comment help you out? If so I'd like to close this issue.

@paalandreassen
Copy link
Author

Yes, thank you. Your comments helped us to find the right cookie to set expiration on.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
IdentityServer
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@RolandGuijt @paalandreassen