On a Microsoft Server 2016 - we are creating a Http response cookie that expires in 20 minutes.
cookie.Expires = DateTime.Now.AddMinutes(20);
HttpContext.Current.Response.Cookies.Add(cookie);
In the chrome browser (Version 108.0.5359.125 (Official Build) (64-bit)) the time is only 14 minutes ahead.
2022-12-22T19:48:26.705Z
Whereas firefox will have the correct time 22 DEC 2022 19:54:08 GMT
The time on the server is correct. When the cookie appears in the browser the time is incorrect. Not sure what all to check. One other fact was it was working just fine until Monday of this week. So I extended the expiration time to compensate.
Check your clocks on both server and client. Use a website like https://time.is/
for this purpose.
Related
I've got a question about an ASP.NET MVC web application I wrote. More specifically, it is about the cookies the application saves. We recently discovered that the default ASP.NET Identity cookies have an expiry date in the past. For example, if you look at the ".AspNet.ExternalCookie" or ".AspNet.TwoFactorCookie", it says "expires=Thu, 01-Jan-1970 00:00:00 GMT". Here is a screenshot:
When you look at the cookies in the browser, the expiration date says "When browsing session ends". So, my question is, is it correct that the expiration date is 01/01/1970 or is this not best-practice? I read over at the owasp site (https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Session_ID_Life_Cycle - in the Session Expiration paragraph), that you should set an expiry date in the past if you want to invalidate a cookie.
I'm not sure if I should change something in the Startup.Auth.cs or just let it go and trust Microsoft on this? What do you think?
Thank you very much,
Sascha
I have an authentication cookie that gets set after I hit a login screen in my local environment. That cookie has been set to be persistent and has been given a timeout period of 7 days in the future.
When I end my debug session and start debugging after another build the cookie is not present. This happens for every browser. Is there a way to get Visual Studio to remember the persistent cookie after a debug session completes?
The solution I found was to make it so that new instances of .NET Core MVC would not open up in a brand new window, but an existing one. I changed one setting
1)Tools menu
2)Options...
3)Debugging > General
4)Uncheck "Enable JavaScript debugging for ASP.NET"
And when I run the app with F5 an instance fires up in an existing instance of chrome and I can reuse the cookies that are already in existence. With that box checked it always opens into a new instance of chrome and cookies are not present.
Assuming you are using VS and ASPNet 4.5 or core 1.0/2.0 under IIS, check your debug output on start up and you might see :
“Neither user profile nor HKLM registry available. Using an ephemeral key repository. Protected data will be unavailable when application exits.”
This is caused by the DataProtection keys used by IIS. Follow this short blog post to resolve
Let’s have a quick look how to make cookies as persistent
//Creting a Cookie Object
HttpCookie _userInfoCookies = new HttpCookie("UserInfo");
//Setting values inside it
_userInfoCookies["UserName"] = "Abhijit";
_userInfoCookies["UserColor"] = "Red";
_userInfoCookies["Expire"] = "5 Days";
//Adding Expire Time of cookies
_userInfoCookies.Expires = DateTime.Now.AddDays(5);
//Adding cookies to current web response
Response.Cookies.Add(_userInfoCookies);
Now once you have set with the Cookies expires time , it will be stored in hard drive until expires or user manually delete or clear all the cookies. If you want your cookies need to be expires before the expiration time that you have mentioned earlier, you just need to override the cookies information.
HttpCookie _userInfoCookies = new HttpCookie("UserInfo");
//Adding Expire Time of cookies before existing cookies time
_userInfoCookies.Expires = DateTime.Now.AddDays(-1);
//Adding cookies to current web response
Response.Cookies.Add(_userInfoCookies);
So Just Work on Expiration.
and take a look at This
I am currently doing a project in which i have an asp.net core web api being called from a separate domain front end.
So I have implemented a JWT Token generator to let the user login, and I wanted to try saving the token through cookies and enable cookie authentication.
And here's my code for adding the cookie, it is in my middleware code
//Add the cookies for login
CookieOptions options = new CookieOptions();
options.Expires = DateTime.Now.AddMinutes(5);
context.Response.Cookies.Append("access_token", encodedJwt, options);
But I am running into some trouble saving the cookie itself.
and you can see in the image the cookie is return but it is being saved
and inspecting fiddler i can see my set cookie code which i dont see any issue but i am really new to cookies so i might be wrong
Set-Cookie: access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJsb2xzcGFtbWVyQG91dGxvb2suY29tIiwianRpIjoiN2FkNWI0MTktOGNhZC00MzZmLWJjZTQtZjM3ZmI5MjgxNWU2IiwiaWF0Ijo3OTAsIm5iZiI6MTUwMTgzODg5MiwiZXhwIjoxNTAxOTI1MjkyLCJpc3MiOiJFeGFtcGxlSXNzdWVyIiwiYXVkIjoiRXhhbXBsZUF1ZGllbmNlIn0.gA4yZgs2r3OJqSYWlUxaV7bkGcP5YdN1fcplMzZT868; expires=Fri, 04 Aug 2017 09:33:12 GMT; path=/
And i try multiple browser like google chrome, ff and opera but no luck.
I even hosted my website thinking maybe it is because it is running on local as I have read some article online saying it is the issue but no luck
If anyone has the answer to my solution please tell me, and Thank you in advance.
I am using following link to generate Refresh token for Intuit QuickBooks integration
https://gist.github.com/IntuitDeveloperRelations/7259345.
but I am getting ErrorCode 212 - "Token Refresh Window Out of Bounds". I am unable to understand what i am doing wrong. I've created intuit account just 15 days back, so there is no question of exceeding 30-day window bounds.
What i am missing here ? What all information do i need to refresh the Token ? Do I need sessionHandle as well ? If yes, how to generate it ?
Thanks in advance.
Regards,
Sagar Vyas
The 30-day window bound is 30 days from the expiration of the token, not 30 days from when you got the token.
Tokens are by default valid for 180 days. That means you can only renew after 150 days of use.
So, you're out of the allowable bounds, just as the error says.
Just for curiosity, if I have a session timeout of 20 minutes and the following happens:
A user access a website. Initial session timeout starts.
After one minute on the same page $.post("/api/longrunningfuction", function() {
alert("success");
}) is called.
The post call takes ten minutes before returning (hopefully not realistic, just to help get my question across).
Would the remaining time now be:
20 minutes due to the post call returning and extending the session?
10 minutes (calling post extended the session, but its been 10 minutes for the post to return).
Other?
The documentation for the session end event says that (emphasis mine)
A session expires when the number of minutes specified by the Timeout
property passes without a request being made for the session.
Therefore there should be 10 minutes remaining.
I haven't seen the framework code, but the session duration is controlled by setting the authentication cookie duration on response. Therefore it seems logical that even though the new cookie is sent when your server-side code has completed, the new expiration time is calculated when the request is received. If 10 minutes pass between the time the expiration time is calculated and the time it is communicated back to the client, then that's 10 minutes worth of session that have been lost.
Session extension works by rewriting the forms authentication cookie to the response. More specifically if you have enabled sliding expiration for your forms authentication (usually not recommended for security reasons), when a request is sent to the server, the forms authentication module intercepts this request at the beginning of the request, it decrypts the forms authentication cookie in order to extract the forms authentication ticket and modifies the expiration date of this ticket and adds the new cookie to the response. All this happens at the beginning of the request. This means that the session will be extended with 20 additional minutes (or whatever your timeout is defined) from that moment.
Then let's suppose that the entire request takes 10 minutes to complete before returning the response to the client (and respectively the refreshed forms authentication cookie). When the client receives this cookie, there will be 10 more minutes left for it to be valid.