This project is read-only.
5
Vote

2 Factor Remember Browser Cookie expiration not set correctly

description

I am having trouble with the Two Factor Remember Browser Cookie. I downloaded the tutorial available here : http://www.asp.net/mvc/overview/security/aspnet-mvc-5-app-with-sms-and-email-two-factor-authentication, but even when I select "Remember Browser" at the verify code page, the cookie is set to expire at the end of the browser session. The only way to get the cookie to NOT expire on browser close is to set both the login and phone code remember options to true. Furthermore, when I do select both remember options, the cookies are set to expire in 2 weeks (the default for ExpireTimeSpan in CookieAuthenticationOptions defined in Startup.Auth.cs), even though I have set ExpireTimeSpan to 30 days.

Just to be sure, I also created a brand new Visual Studio 2013 MVC 5 Project with individual accounts and updated all of my packages through the Nuget Package Manager. According to Nuget, I have the following packages and versions:
  • Micorsoft.Asp.Net.Identity.Core v 2.2.1
  • Micorsoft.Asp.Net.Identity.EntityFramework v 2.2.1
  • Micorsoft.Asp.Net.Identity.Owin v 2.2.1
  • Microsoft.Owin.Host.SystemWeb v 3.01
  • Microsoft.Owin.Security.Cookies v 3.0.1
  • Microsoft.Owin.Security. v 3.0.1
  • Microsoft.Owin. v 3.0.1
  • OWIN v 1.0
Selecting only the "Remember Browser" check box still sets the Two Factor Remember Browser Cookie to expire at the end of the browser session.

It would be useful if the Remember Browser was set correctly without having to also select Remember Me in the login page. Also, if I do have to select both remember options, it would be nice if the cookie expiration dates for each were independent of each other. For example, I would set it so that the username and login expires sooner than the phone code, but I understand that is probably a matter of personal preference.

P.S. Stackoverflow questions:

comments

kerr_peter wrote May 22, 2015 at 10:49 AM

I too have this problem, and would like to hear how exactly its meant to work - thanks

kerr_peter wrote Jun 16, 2015 at 2:09 PM

Any update on this?

BennyM wrote Jun 17, 2015 at 10:57 AM

Issue is also posted here: https://github.com/aspnet/Identity/issues/309#issuecomment-112449221

I was able to hack my way around this.

codesmithery wrote Sep 13, 2015 at 10:17 PM

The way the current code is set up to expire the 2FA in 14 days is going to cause serious blow back by the users who are using my web application. They are professional athletes who do understand security and don't really care. However, some security needs to be in place to prevent unwanted eyes within team portals. It is bad enough to expire their passwords every so often (hell, I don't know many people who like that feature especially when it is coupled with don't try to use you last 1000 passwords!). Now, implementing 2FA with a frequency of 2 weeks, oh boy am I glad I am on this side of the pond and not the other where they would rip me apart.

This should be settable. Some teams will want a certain period, others more frequent or less frequent. I am just glad these guys ride bikes and don't wield baseball bats.

DeluxZ wrote Jul 12, 2016 at 5:45 PM

Any updates on this?

I need a way to remember the 2FA for like 30 days with SlidingExpiration but I don't want to remember the user for 30 days. I want the ApplicationCookie to expire at session (it's a financial app so security is important).

I seem to bump against this issue.

kerr_peter wrote Jul 13, 2016 at 12:15 PM

Never got anything official feedback - the stack overflow questions give some work arounds
TEXT

DeluxZ wrote Jul 13, 2016 at 1:10 PM

Those workarounds didn't seem to work for me unfortunately.