ASP。NET核心MVC:设置标识cookie的过期时间。

In my ASP.NET Core MVC app the lifetime of the authentication cookie is set to 'Session', so it lasts until I close the browser. I use the default authentication scheme for MVC:

在我的ASP。netcore MVC应用程序的生命周期被设置为“Session”，所以它一直持续到我关闭浏览器。我使用MVC默认的认证方案:

app.UseIdentity();

How can I extend the lifetime of the cookie?

如何延长cookie的生命周期?

6 个解决方案

#1

The ASP.NET Identity middleware which you are using is a wraper around some calls to UseCookieAuthentication which includes the Cookie Authentication middleware on the pipeline. This can be seen on the source code for the builder extensions of the Identity middleware here on GitHub. In that case the options needed to configure how the underlying Cookie Authentication should work are encapsulated on the IdentityOptions and configured when setting up dependency injection.

ASP。您正在使用的NET标识中间件是对UseCookieAuthentication的一些调用的包装器，其中包括管道上的Cookie身份验证中间件。这可以在GitHub上的身份中间件的构建器扩展的源代码中看到。在这种情况下，配置底层Cookie身份验证应该如何工作所需的选项封装在IdentityOptions上，并在设置依赖项注入时进行配置。

Indeed, looking at the source code I linked to you can see that the following is run when you call app.UseIdentity():

实际上，查看我链接到的源代码可以看到，当您调用app.UseIdentity()时，将运行以下代码:

var options = app.ApplicationServices.GetRequiredService<IOptions<IdentityOptions>>().Value;
app.UseCookieAuthentication(options.Cookies.ExternalCookie);
app.UseCookieAuthentication(options.Cookies.TwoFactorRememberMeCookie);
app.UseCookieAuthentication(options.Cookies.TwoFactorUserIdCookie);
app.UseCookieAuthentication(options.Cookies.ApplicationCookie);
return app;

To setup the IdentityOptions class, the AddIdentity<TUser, TRole> method has one overloaded version which allows to configure the options with one lambda. Thus you just have to pass in a lambda to configure the options. In that case you just access the Cookies properties of the options class and configure the ApplicationCookie as desired. To change the time span you do something like

为了设置身份选项类，可添加的方法有一个重载版本，允许用一个lambda配置选项。因此，您只需传入一个lambda来配置选项。在这种情况下，您只需访问options类的cookie属性并按需要配置ApplicationCookie。为了改变时间跨度，你可以做一些类似的事情。 ,>

services.AddIdentity<ApplicationUser, IdentityRole>(options => {

    options.Cookies.ApplicationCookie.ExpireTimeSpan = TimeSpan.FromHours(1);

});

EDIT: The ExpireTimeSpan property is only used if when calling HttpContext.Authentication.SignInAsync we pass in an instance of AuthenticationProperties with IsPersistent set to true.

编辑:只有在调用HttpContext.Authentication时才使用ExpireTimeSpan属性。我们传入一个AuthenticationProperties实例，并将IsPersistent设置为true。

Trying out just with the Cookie Authentication Middleware it turns out that this works: if we just sign in without this option, we get a cookie that lasts for the session, if we send this together we get a cookie which lasts what we setup when configuring the middleware.

尝试使用Cookie身份验证中间件，结果证明这是可行的:如果我们不使用这个选项登录，我们就会得到一个用于会话的Cookie，如果我们一起发送这个Cookie，我们就会得到一个Cookie，这个Cookie保存在配置中间件的时候。

With ASP.NET Identity the way to do is pass the parameter isPersistent of the PasswordSignInAsync with value true. This ends up being a call to SignInAsync of the HttpContext passing in the AuthenticationProperties with the IsPersistent set to true. The call ends up being something like:

ASP。要做的方法是传递带有值为true的PasswordSignInAsync的参数isPersistent。这最终是对传入AuthenticationProperties中的HttpContext的SignInAsync的调用，IsPersistent被设置为true。最终的结果是:

var result = await _signInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, lockoutOnFailure: false);

Where the RememberMe is what configures if we are setting IsPersistent to true or false.

如果我们设定为真或假，记住的是什么配置。

#2

There's an answer for version 2.0 but it didn't work for me. I had to do:

有一个版本2.0的答案，但对我不起作用。我所要做的:

services.ConfigureApplicationCookie(options =>
{
    options.ExpireTimeSpan = TimeSpan.FromDays(30);
});

The default value is 14 days.

默认值是14天。

#3

Try

试一试

app.UseIdentity().UseCookieAuthentication(
    new CookieAuthenticationOptions
    {
        ExpireTimeSpan = TimeSpan.FromHours(1)
    }
);

#4

For some reason I had the issue when using SignInAsync([..], true) the cookie was never be shown in browser (and properly the login failed):

出于某种原因，我在使用SignInAsync([.. .])浏览器中从未显示cookie(正确地说，登录失败):

So, I tried adding the UTC timezone difference into the TimeSpan of ExpireTimeSpan

因此，我尝试在ExpireTimeSpan的TimeSpan中添加UTC时区差异

services.AddIdentity<ApplicationUser, IdentityRole>(o =>
{
    // add TimeSpan with 5 minutes plus timezone difference from Utc time
    o.Cookies.ApplicationCookie.ExpireTimeSpan = DateTime.Now.Subtract(DateTime.UtcNow).Add( TimeSpan.FromMinutes(5) );

});

Voila! It worked and the cookie is shown with +5min expiration only in browser.

瞧!它工作了，并且cookie只在浏览器中显示+5min过期。

PingBack to github.com https://github.com/aspnet/Identity/issues/766#issuecomment-253237576

广播到github.com https://github.com/aspnet/Identity/issues/766 # issuecomment - 253237576

#5

For ASP.NET Core 2.0

ASP。2.0网络核心

  services.ConfigureApplicationCookie(options =>
        {
            options.Cookie.Name = "CookieName";
            options.Cookie.Expiration = TimeSpan.FromDays(2);
        });

#6

In ASP.NET Core 2.0 use ExpireTimeSpan property instead of Cookie.Expiration.

在ASP。NET Core 2.0使用ExpireTimeSpan属性而不是cooke . expiration。

services.ConfigureApplicationCookie(options =>
{   
    options.Cookie.Name = "CookieName";         
    options.ExpireTimeSpan = TimeSpan.FromHours(24);
    options.SlidingExpiration = true;               
});

From docs:

从文档:

Cookie.Expiration: Gets or sets the lifespan of a cookie. Currently, this option no-ops and will become obsolete in ASP.NET Core 2.1+. Use the ExpireTimeSpan option to set cookie expiration.

饼干。过期:获取或设置cookie的生命周期。目前，这个选项没有操作，将在ASP中被淘汰。网络核心2.1 +。使用补偿时间选项设置cookie过期。

#1