Custom IPrincipal expiration issue
https://stackoverflow.com/questions/13147973
-
21-07-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I followed advice from this question on how to implement custom IPrincipal (I need it to store userId in it in order to reduce calls to database to get just userId).
Now if I login to site and leave it about 20 minutes don't do anything on site and refresh page it again requests login.
Does custom implemented IPrincipal has some expirtation time and if it has how to extend this?
Solution
IPrincipal is just a contract that any implementing classes must obey.
The timeout really depends on the implementation, but a huge consideration on ASP .NET apps should be the formsAuthentication timeout value.
This'll be the time that ASP .NET keeps the session open without input from the user. After that, it'll retain no information on the logged in user. Most iPrincipal implementations rely on matching Context.User.Identity.Name with an entry in a database. Once the Forms Authentication timeout is hit, that value ( and the IsAuthenticated == true ) status is lost, resulting in the request for a separate login. If you just want a simple extension of the timeout, try tweaking that value first.
If you're looking for longer term solutions ( i.e. a "keep me logged in" function ), the most common approach is to send a token to the user's browser via a cookie, which is checked on consequent visits to the site.
Typically the strategy here is:-
- check for cookie
- pull token value from cookie
- if matching user found, auto-login the user and give them a FormsAuthentication ticket.
Article on best practices here:-
http://jaspan.com/improved_persistent_login_cookie_best_practice
