Timeout after inactivity

Apr 28, 2014 at 6:13 PM
I am using ASP.NET Identity version 1, and I have configured CookeAuthentication with the following code in Startup.Auth.cs. This automatically logs the user out if they are inactive for more than 60 minutes, and redirects them back to the login page. That works fine, but I would like to display a message on the login screen when that happens, so the user knows why they were logged out. Ideally, the redirect would just append a URL parameter to the end of the URL, similar to the ReturnUrl parameter (i.e. ~/Account/Login?SessionExpired=1)

I don't see any obvious way to accomplish this. My original thought was that I could write my own authorization filter and check the expiration date of the cookie whenever a request is made, but in examining the cookies, the cookie is actually set as a "session" cookie rather than one with an expiration date.

Is there anything exposed in the ASP.NET Identity version1 that would allow me to display a message when this happens?

public partial class Startup
    // For more information on configuring authentication, please visit http://go.microsoft.com/fwlink/?LinkId=301864
    public void ConfigureAuth(IAppBuilder app)

        // Enable the application to use a cookie to store information for the signed in user
        app.UseCookieAuthentication(new CookieAuthenticationOptions
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/Account/Login"),
            LogoutPath = new PathString("/Account/Logout"),
            ExpireTimeSpan = System.TimeSpan.FromMinutes(60),

            SlidingExpiration = true,
            CookieName = "LoginCookie"
        // Use a cookie to temporarily store information about a user logging in with a third party login provider

        // Uncomment the following lines to enable logging in with third party login providers
        //    clientId: "",
        //    clientSecret: "");

        //   consumerKey: "",
        //   consumerSecret: "");

        //   appId: "",
        //   appSecret: "");

Apr 28, 2014 at 6:36 PM
@pgaule: In the Startup class I tried new PathString("/Account/Login/1") and the Login action was defined as Login(string id,string returnurl) and it was bound correctly. This might be a work around so that you are unblocked currently
Apr 28, 2014 at 6:47 PM
But there are two reasons why a user could get directed to the login page:

1.) They have not logged in yet
2.) They were logged in but their session expired

If I implemented that "workaround", I don't see how I could distinguish between each case. The user would be directed to /Account/Login/1 in both cases.

So, let me rephrase my question to be more clear...is there any way to determine that a user has been logged out because their session expired?
Apr 29, 2014 at 5:50 PM
Got it. The OWIN cookiemiddleware intercepts the cookies in the browser and rejects it if it is expired. Refer to the AuthenticateCoreAsync method in https://katanaproject.codeplex.com/SourceControl/latest#src/Microsoft.Owin.Security.Cookies/CookieAuthenticationHandler.cs class. You might want to plugin you custom middleware that intercepts the cookie and then takes appropriate action if it is expired. Identity does not provide any out of the box solution for this, since this is handled in the OWIN middleware
Apr 29, 2014 at 11:03 PM
Thanks for the response...that makes sense.

I didn't really want to mess with re-writing any of the owin stuff so I just implemented a cookie/javascript solution that works alongside my authentication system. It tracks the user's activity on the site and will give them a warning after a certain period of inactivity. If they don't respond, they get logged out of the site. I used this jquery plugin to accomplish this -> https://github.com/Epilgrim/jquerySessionTimeoutHandler

This isn't a fool-proof solution, but the owin authentication will still kick them out after a certain period of inactivity if they manage to bypass it.