This project is read-only.

Can't set 2 auth cookies with different expirations

Oct 21, 2014 at 12:32 AM
Edited Oct 21, 2014 at 12:41 AM
I'm trying to port a homemade auth system to identity. I need to support 2 "layers" of authentication. When a user logins, I want to set a permanent cookie and a session only cookie. The permanent cookie let me show him on future visits trivial messages/pages like "welcome [name]" or recommendations, and the session only cookie is required for more secure pages like check his account or buy something. Exactly what Amazon is doing in fact.

Someone told me to solve this by managing 2 owin cookies, so that's what I tried, I have 2 UseCookieAuthentication in my startup class :
app.UseCookieAuthentication(new CookieAuthenticationOptions
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/Auth/Login")
                new CookieAuthenticationOptions
                        ExpireTimeSpan = new TimeSpan(0,10,0),
                        CookieName = "SecureSession",
                        AuthenticationType = "SecureSession",
                        AuthenticationMode = AuthenticationMode.Passive
And when the user logins, I do 2 signins :
AuthenticationManager.SignIn(new AuthenticationProperties() { IsPersistent = model.RememberMe }, identity.Result);            
            AuthenticationManager.SignIn(new AuthenticationProperties() { IsPersistent = false }, new ClaimsIdentity("SecureSession"));
This effectively issues 2 cookies as it should be, but both are permanent. When model.RememberMe, then both are session based. It seems identity takes the expires of the first cookie and use it for all the others.

Is there a way around this problem, or another way to achieve what I want ?

Thanks !