Why authentication ticket expires after 30 minutes using WS-federation?

Question

I have the following code in ConfigureServices method:

var federationSettings = new FederationSettings();

this.Configuration.GetSection(nameof(FederationSettings)).Bind(federationSettings);
            
Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;
CryptoProviderFactory.Default.CustomCryptoProvider = new Sha1Provider();
services.AddAuthentication(sharedOptions =>
{
    sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    sharedOptions.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    sharedOptions.DefaultChallengeScheme = WsFederationDefaults.AuthenticationScheme;
    sharedOptions.DefaultSignOutScheme = WsFederationDefaults.AuthenticationScheme;
})
    .AddWsFederation(options =>
    {
        options.UseTokenLifetime = false;
        options.SecurityTokenHandlers.Clear();
        options.SecurityTokenHandlers.Add(new CustomSamlSecurityTokenHandler());
        options.SecurityTokenHandlers.Add(new Saml2SecurityTokenHandler());
        options.SecurityTokenHandlers.Add(new JwtSecurityTokenHandler());
        options.RequireHttpsMetadata = false;
        options.Wtrealm = federationSettings.Realm;
        options.MetadataAddress = federationSettings.AdfsMetadataUrl;

    })
    .AddCookie(options =>
    {
        options.Cookie.Name = "AuthenticationCookie";
        options.ExpireTimeSpan = TimeSpan.FromDays(10);
        options.SlidingExpiration = true;
                 
    });

If I set ExpireTimeSpan to 10 seconds the authentication ticket expires after 10 seconds, but it doesn't work if I set it to more than 30 minutes. How can I increase ExpireTimeSpan?

Answer 1

By default the cookie is refreshed after 30 minutes on the next request to ensure the claims are up to date assuming the security stamp hasn't changed, if that has changed, it'll sign out and clear the cookie instead. The CookieAuthenticationOptions class is used to configure the authentication provider options.

SecurityStampValidator validate your security stamp.

Your user store has to implement IUserSecurityStampStore
You have to have security stamp claim in your principle.

services.Configure<SecurityStampValidatorOptions>(options => options.ValidationInterval = TimeSpan.FromSeconds(10));

If user is logged happens ~every 10 seconds, depending on requests ratio. Server checks security stamps upon every request to the server options.ValidationInterval = TimeSpan.FromSeconds(10)).
Cookie is valid for 10 days. options.ExpireTimeSpan = TimeSpan.FromDays(10);, it can be extended with options.SlidingExpiration = true; if page is refreshed or navigated.
Do no run _userManager.UpdateSecurityStampAsync(user);, this updates security stamp and next options.ValidationInterval validation will fail.

SecurityStampValidatorOptions Invoked when the default security stamp validator replaces the user's ClaimsPrincipal in the cookie.