ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,192 questions
Cookie(OICD authentication) is not removed when Browser is closed in ASP.NET Core App
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 4%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Tapsa
0
Reputation points
Hello,
I have an older ASP.NET Core App that uses OICD Authentication and it's Cookie.
Problem is that when old .NET Core 2.1 was updated to .NET Core 3.1 that Cookie stayed to live in Browser although Browser was closed. E.g. Logging into App and then closing the Browser and then Logging again didn't succeeded.
Only way get rid of this problem is to delete Cookie by hand in Browser's Development tools.
I was thinking that problem might be in Application's Startup.cs file and it's Authentication and Cookie settings code.
Has anyone noticed that same problem when upgrading .NET Core 2.1 to .NET Core 3.1? What could be wrong in Authentication/Cookie code (code below) and what should be changed? Thanks!
services.AddAuthentication(options =>
{
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie(options =>
{
options.Cookie = new Microsoft.AspNetCore.Http.CookieBuilder()
{
SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always,
HttpOnly = true,
SameSite = Microsoft.AspNetCore.Http.SameSiteMode.None
};
})
.AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
options.Authority = Configuration.GetSection("AppConfiguration")["AADInstance"];
options.ClientId = Configuration.GetSection("AppConfiguration")["ClientId"];
options.ClientSecret = Configuration.GetSection("AppConfiguration")["ClientSecret"];
options.AuthenticationMethod = OpenIdConnectRedirectBehavior.FormPost;
options.SaveTokens = true;
options.Events.OnTicketReceived = c =>
{
// Note: OICD authentication does not produce refresh token.
// We need to request it separately
var accessTokenWithBackingRefreshToken = AuthContext.AcquireTokenAsync(options.ClientId,
new ClientCredential(options.ClientId, options.ClientSecret),
new UserAssertion(c.Properties.GetTokenValue("id_token"))).Result;
// Note: The refresh token is now stored to the token cache.
// Next the token stored in the authentication cookie
// is updated so that it can be used to access the token cache
// on consequtive requests.
c.Properties.UpdateTokenValue("id_token", accessTokenWithBackingRefreshToken.AccessToken);
return Task.CompletedTask;
};
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 90%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZL%3C/text%3E%3C/svg%3E)
Zhi Lv - MSFT 32,016 Reputation points Microsoft Vendor2023-03-16T05:57:02.83+00:00 Hi @Tapsa
From your code, it seems that you didn't set the cookie expired time, so it might use the default time.
You can try to use F12 developer Application tools to check the cookie expired time? Whether it has a fixed expired time or the Expires/Max-Age is session?
You can also try to change the Cookie expired time in the AddCookie() method, then after cookie expired, it will remove the cookie. code like this:
.AddCookie(options => { options.Cookie = new Microsoft.AspNetCore.Http.CookieBuilder() { SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always, HttpOnly = true, SameSite = Microsoft.AspNetCore.Http.SameSiteMode.None, Expiration = TimeSpan.FromMinutes(5) //set cookie expired time }; options.ExpireTimeSpan= TimeSpan.FromMinutes(5); //set cookie expired time. options.SlidingExpiration=true; });Besides, in asp.net core cookie authentication, to remove the cookie when browser is closed, we can set the
IsPersistenttotrue,in this scenario, the cookie is created with a session-based lifetime, so after close the browser, it will auto remove the cookie, but in OIDC, I didn't find this property, so as a workaround, you can try to use the above method to set the cookie expired time. -
Tapsa 0 Reputation points
2023-03-21T18:34:18.7766667+00:00 Thank you for answer. Row: Expiration = TimeSpan.FromMinutes(5) //set cookie expired time
doesn't compile. I have Core 3.1. Any clue about that?
Sign in to comment