I set my cookie to expire after 20 minutes if no activity occurs this 20 minutes is the max limit I am allowed to set on my cookie auth token. For example the token refreshes when the user navigates from one page back to the home screen.
I have a problem where there is a particularly large form my users fill out which can take > 20 minutes for the user to gather the data and fill out the form.
After 1 hour a user completely fills out the form and hit save they are hit with an auth expired error and lose their forms progress which was an hour of work.
how i define my auth:
internal static IAppBuilder AddAuthentication(this IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
return app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
CookieName = "MyApplication.Auth.Cookies",
CookieSecure = CookieSecureOption.Always,
CookieSameSite = SameSiteMode.Lax,
SlidingExpiration = true,
Provider = new CookieAuthenticationProvider
{
OnResponseSignIn = context =>
{
context.Properties.AllowRefresh = true;
context.Properties.ExpiresUtc = DateTimeOffset.UtcNow.AddMinutes(20);
},
OnValidateIdentity = context =>
{
Log.Information("Cookie expiry: {expiry} for {url}", context.Properties.ExpiresUtc, context.Request.Uri);
if (!(context.Properties.ExpiresUtc < DateTimeOffset.UtcNow)) return Task.FromResult(0);
Log.Information("Cookie has expired: {expiry} at {utcNow}", context.Properties.ExpiresUtc, DateTimeOffset.UtcNow);
context.OwinContext.Authentication.Challenge(OpenIdConnectAuthenticationDefaults.AuthenticationType);
return Task.FromResult(0);
}
}
});
}
I am looking for any suggestions on how I can make this token refresh based on if the user is actively clicking around and interacting with a form while they are not making any active calls to the backend.
extra info: app is a C# .net 4.8 MVC with a VUE/JS front end