ASP.Net External Cookie with Sliding Expiration appearing as a Session cookie

Question

I am trying to configure a sliding expiration cookie in Asp.Net. I am expecting the cookie to appear in the Google Chrome developer tools cookie manager with an expiration date 5 minutes after authentication, but it shows as "Session" and never expires until the sign-out button is clicked. It does go away if the browser is closed.

Below is the code as it currently stands. The website uses Saml based Single-Sign-On authentication with Kentor.AuthServices nuget package (now known as SustainSys.Saml2, we are behind in versions).

app.CreatePerOwinContext(ApplicationDbContext.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    LoginPath = new PathString("/signin"),
    CookieSecure = CookieSecureOption.SameAsRequest,
    ExpireTimeSpan = TimeSpan.FromMinutes(5),
    SlidingExpiration = true,
    Provider = new CookieAuthenticationProvider
    {
        OnApplyRedirect = ctx => { },
        OnResponseSignIn = context =>
        {
            context.Properties.AllowRefresh = true;
            context.Properties.ExpiresUtc = DateTimeOffset.UtcNow.AddMinutes(5);
        }
    }
});

app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

Kentor.AuthServices.Configuration.Options.GlobalEnableSha256XmlSignatures();

The OnResponseSignIn block was recently added based on this MSDN answer: https://forums.asp.net/t/2121970.aspx?OWIN+Authentication+ExpireTimeSpan+not+working

I want the cookies to expire in a 30-minute inactive period. The above code is set to 5 for ease of testing.

Answer 1

The developer tools show the cookie expiration time. This is not directly related to the authentication token expiration time, which should in fact be correct for your code too.

As indicated by this comment "The expiration information is stored in the protected cookie ticket". The token expiration time should take effect properly, even if you cannot see it in the developer tools as it's encrypted inside the cookie itself.