ASP.NET-Identity-Cookie-Authentication-Timeouts (edit)

If you are using cookie authentication in ASP.NET Identity 2.1, there are two timeout settings that look similar upon first glance, ValidateIntervaland ExpireTimespan:

 app.UseCookieAuthentication(new CookieAuthenticationOptions
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    LoginPath = new PathString("/Account/Login"),
    Provider = new CookieAuthenticationProvider
        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
            validateInterval: TimeSpan.FromMinutes(15),
            regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager)),
    SlidingExpiration = false,
    ExpireTimeSpan = TimeSpan.FromMinutes(30)


CookieAuthenticationOptions.ExpireTimespan is the option that allows you to set how long the issued cookie is valid for. In the example above, the cookie is valid for 30 minutes from the time of creation. Once those 30 minutes are up the user will have to sign back in becuase the SlidingExpiration is set to false.

If SlidingExpiration is set to true then the cookie would be re-issued on any request half way through the ExpireTimeSpan. For example, if the user logged in and then made a second request 16 minutes later the cookie would be re-issued for another 30 minutes. If the user logged in and then made a second request 31 minutes later then the user would be prompted to log in.

SecurityStampValidator Validation Interval

The validateInterval of the SecurityStampValidator.OnValidateIdentity function checks the security stamp field to insure validity of the cookie after the given internval. This is not the same as checking expiration of the cookie, although it can cause the same result of being logged out.

The Security Stamp is created anytime a password is created/changed or an external login is added/removed. If a user changes their password then the SecurityStamp will be updated. This results in any cookie that might have been issued previous to the password change to become invalid the next time the validateInterval occurs.

For a concrete example using the above settings (this is a unlikely example but gets the point across):

  1. User signs in at location A.
  2. Same User changes work stations and signs in 10 minutes later at location B.
  3. Same User changes their password at location B at the 12 minute mark.
  4. The Same user goes back the the work station at location A and issues a request at the 20 minute mark.
  5. Since the User issued a request after the validateInterval at location A they will be signed-out and prompted for their credentials again.

When the user is signed out in this scenario it is different from the the cookie timing out because the 30 minute Expire Time Out was never reached. Yet the user is logged out because the validateInterval of the SecurityStampValidator.OnValidateIdentity was set to 15 minutes.

The differences

The difference is subtle at first glance but provides some great benefits, such as Sign-out Everywhere. But it can be confusing since the default ASP.NET Identity template only has validateInterval leaving the ExpireTimespan hidden and set to the default of 14 days. Without some digging a developer new to the ASP.NET Identity library might not immediately recognize that the validateInterval is not the same as expiring cookies on a given time fame.

Display Session Expire Popup (CODE) (CODE)

Forms Authentication

ASP.NET MVC - How To Show A Popup Warning Before Session Timeout - ASP.NET MVC

Session Expires in ASP.NET WebForms

Session Expires (Use the [SessionAuthorize])


Microsoft Docs - Session Timeout Warning in ASP.NET


A Javascript based single page app with a .NET backend that authenticates Azure AD users and calls the backend web api using access tokens, without using any SPA frameworks.

An ASP.NET MVC Web API protected by Azure AD that receives tokens from a client and uses ADAL to get tokens for calling the MIcrosoft Graph (for .NET 4.5) (HAY HAY HAY) (HAY HAY HAY) (HAY HAY HAY)


ASP.NET Identity and OWIN


If IsPersistent property of AuthenticationProperties is set to false, then the cookie expiration time is set to Session.

If checkbox "remember me" is checked then AuthenticationManager.SignIn(new AuthenticationProperties{ IsPersistent = true }, userIdentity); will create a cookie with expiration time equal to ExpireTimeSpan you set up in Startup.cs (defaults to 14 days).

If checkbox "remember me" is NOT checked then you have to useAuthenticationManager.SignIn(new AuthenticationProperties{ IsPersistent = true, ExpiresUtc = DateTimeOffset.UtcNow.AddMinutes(30)}, userIdentity);. Again IsPersistent is set to true but now we give a value to ExpiresUtc so it does not use from CookieAuthenticationOptions from Startup.cs.

public override async Task SignInAsync(ApplicationUser user, bool isPersistent, bool rememberBrowser)
    var userIdentity = await CreateUserIdentityAsync(user).WithCurrentCulture();
    // Clear any partial cookies from external or two factor partial sign ins
    AuthenticationManager.SignOut(DefaultAuthenticationTypes.ExternalCookie, DefaultAuthenticationTypes.TwoFactorCookie);
    if (rememberBrowser)
        var rememberBrowserIdentity = AuthenticationManager.CreateTwoFactorRememberBrowserIdentity(ConvertIdToString(user.Id));
        AuthenticationManager.SignIn(new AuthenticationProperties { IsPersistent = isPersistent }, userIdentity, rememberBrowserIdentity);
        //AuthenticationManager.SignIn(new AuthenticationProperties { IsPersistent = isPersistent }, userIdentity);
        if (isPersistent)
            AuthenticationManager.SignIn(new AuthenticationProperties { IsPersistent = true }, userIdentity);
            AuthenticationManager.SignIn(new AuthenticationProperties { IsPersistent = true, ExpiresUtc = DateTimeOffset.UtcNow.AddMinutes(30) }, userIdentity);