ASP.NET OIDC Session Lifetimes: Managing Authentication and Expiry

Alex,

OIDC authentication in ASP.NET Core introduces a multilayered system of session lifetimes. It’s not just about logging in and out—it’s about managing user state across browser sessions, tokens, and cookies. Without understanding how these lifetimes interact, users may be logged out unexpectedly or kept signed in longer than desired.

This article breaks down the mechanisms that control session duration in ASP.NET Core when using OpenID Connect (OIDC), helping you configure and troubleshoot authentication with precision.

Authentication Lifetimes in ASP.NET Core OIDC

ASP.NET Core OIDC authentication involves three key components that manage how long a session lasts:

  1. Cookie Expiration
  2. Token Expiration (ID token, Access token, Refresh token)
  3. OIDC Provider Session State

Each layer influences user experience differently. Ignoring one leads to gaps in security or usability.

1. Cookie Authentication Lifetime

ASP.NET Core uses cookie authentication to persist the user’s identity once authenticated via OIDC.

  • Default Behavior: The CookieAuthenticationOptions.ExpireTimeSpan determines how long the auth cookie is valid.
  • Sliding Expiration: If SlidingExpiration = true, the cookie gets renewed with each request, resetting the expiration window.
  • Absolute Expiration: Without sliding expiration, the cookie expires after the defined ExpireTimeSpan, regardless of activity.

Sample Configuration:

services.ConfigureApplicationCookie(options =>
{
    options.ExpireTimeSpan = TimeSpan.FromMinutes(60);
    options.SlidingExpiration = true;
});

Make sure this aligns with your identity provider’s token expiry—if the cookie outlives the token, re-authentication fails silently.

2. ID Token and Access Token Lifetimes

Tokens come from the OIDC provider (e.g., Azure AD, Auth0, IdentityServer).

  • ID Token confirms the user identity. Its expiry often aligns with a session timeout.
  • Access Token is for API authorization. Usually short-lived.
  • Refresh Token (if enabled) can request new access tokens without prompting the user.

Key Points:

  • No built-in token refresh in ASP.NET Core middleware.
  • Tokens expire based on provider configuration, often 60 minutes for access tokens.
  • Middleware does not auto-refresh tokens—manual intervention is needed.

To manage token expiry effectively, ensure that the middleware signs users out when tokens expire, or refresh them through an external mechanism.

3. OIDC Provider Session Lifetime

OIDC providers maintain a session independent of the ASP.NET application. This is what determines if re-authentication requires credentials.

For instance:

  • Azure AD: Keeps a session cookie in the browser. Even if the ASP.NET app signs out, the user might get logged in silently due to an active session at the provider.
  • IdentityServer: Session duration is configurable and often used in conjunction with a front-channel logout.

OIDC providers may also support session management features such as check_session_iframe or prompt=login to force credential re-entry.

Configuring ASP.NET Core for Predictable Authentication Flow

Step-by-Step:

  1. Set Cookie Expiration Intentionally
    • Align with token lifespan.
    • Choose between sliding vs. absolute based on security needs.
  2. Control Token Expiry at the Provider
    • Use provider settings to define token lifetimes.
    • Shorten for sensitive apps; lengthen for usability in trusted environments.
  3. Force Logout Across the Stack
    • Implement back-channel logout or front-channel logout.
    • Clear local cookies and initiate sign-out at the provider (/logout endpoint).
  4. Handle Expired Tokens Gracefully
    • Middleware won’t refresh tokens automatically.
    • Use OpenIdConnectEvents.OnTokenValidated or OnAuthorizationCodeReceived to hook custom logic.

Testing Session Expiry Scenarios

To ensure reliability:

  • Simulate idle time by disabling sliding expiration.
  • Force early token expiry in the identity provider settings.
  • Test across multiple devices and tabs to confirm session boundaries.
  • Use prompt=login during authentication to bypass silent login.

Preventing Unexpected Logouts

A common pitfall is mismatched cookie and token lifetimes. If the ASP.NET cookie remains valid while tokens expire, API calls may fail without a clear redirect. Address this by syncing cookie expiry to token expiration and enforcing token validation in middleware.

Another edge case is browser session resumption. If the provider has a persistent session, a user may get logged in again silently after app logout. To prevent this, use prompt=login or clear the provider’s session explicitly.

Summary Tips

  • Always set a cookie expiration, and match it with token expiry.
  • Don’t assume the provider will prompt for credentials after logout.
  • Use middleware events to handle re-authentication logic.
  • Test with both active and expired sessions regularly.

Fine-tuning these layers ensures predictable authentication behavior and minimizes session-related bugs.

Cybersecurity & Digital Trust

Leave a Reply

Your email address will not be published. Required fields are marked *