diff --git a/sandbox/OpenIddict.Sandbox.AspNet.Client/Controllers/AuthenticationController.cs b/sandbox/OpenIddict.Sandbox.AspNet.Client/Controllers/AuthenticationController.cs index bf14e2d2e..a27103b30 100644 --- a/sandbox/OpenIddict.Sandbox.AspNet.Client/Controllers/AuthenticationController.cs +++ b/sandbox/OpenIddict.Sandbox.AspNet.Client/Controllers/AuthenticationController.cs @@ -195,7 +195,25 @@ or Claims.Private.RegistrationId or Claims.Private.ProviderName OpenIddictClientOwinConstants.Tokens.BackchannelAccessToken or OpenIddictClientOwinConstants.Tokens.BackchannelIdentityToken or OpenIddictClientOwinConstants.Tokens.RefreshToken) - .ToDictionary(pair => pair.Key, pair => pair.Value)); + .ToDictionary(pair => pair.Key, pair => pair.Value)) + { + // Set the creation and expiration dates of the ticket to null to decorrelate the lifetime + // of the resulting authentication cookie from the lifetime of the identity token returned by + // the authorization server (if applicable). In this case, the expiration date time will be + // automatically computed by the cookie handler using the lifetime configured in the options. + // + // Applications that prefer binding the lifetime of the ticket stored in the authentication cookie + // to the identity token returned by the identity provider can remove or comment these two lines: + IssuedUtc = null, + ExpiresUtc = null, + + // Note: this flag controls whether the authentication cookie that will be returned to the + // browser will be treated as a session cookie (i.e destroyed when the browser is closed) + // or as a persistent cookie. In both cases, the lifetime of the authentication ticket is + // always stored as protected data, preventing malicious users from trying to use an + // authentication cookie beyond the lifetime of the authentication ticket itself. + IsPersistent = false + }; context.Authentication.SignIn(properties, identity); return Redirect(properties.RedirectUri ?? "/"); diff --git a/sandbox/OpenIddict.Sandbox.AspNet.Server/Controllers/AuthenticationController.cs b/sandbox/OpenIddict.Sandbox.AspNet.Server/Controllers/AuthenticationController.cs index 58fc48614..f40c1fd83 100644 --- a/sandbox/OpenIddict.Sandbox.AspNet.Server/Controllers/AuthenticationController.cs +++ b/sandbox/OpenIddict.Sandbox.AspNet.Server/Controllers/AuthenticationController.cs @@ -86,7 +86,25 @@ or Claims.Private.RegistrationId or Claims.Private.ProviderName // If needed, the tokens returned by the authorization server can be stored in the authentication cookie. OpenIddictClientOwinConstants.Tokens.BackchannelAccessToken or OpenIddictClientOwinConstants.Tokens.RefreshToken) - .ToDictionary(pair => pair.Key, pair => pair.Value)); + .ToDictionary(pair => pair.Key, pair => pair.Value)) + { + // Set the creation and expiration dates of the ticket to null to decorrelate the lifetime + // of the resulting authentication cookie from the lifetime of the identity token returned by + // the authorization server (if applicable). In this case, the expiration date time will be + // automatically computed by the cookie handler using the lifetime configured in the options. + // + // Applications that prefer binding the lifetime of the ticket stored in the authentication cookie + // to the identity token returned by the identity provider can remove or comment these two lines: + IssuedUtc = null, + ExpiresUtc = null, + + // Note: this flag controls whether the authentication cookie that will be returned to the + // browser will be treated as a session cookie (i.e destroyed when the browser is closed) + // or as a persistent cookie. In both cases, the lifetime of the authentication ticket is + // always stored as protected data, preventing malicious users from trying to use an + // authentication cookie beyond the lifetime of the authentication ticket itself. + IsPersistent = false + }; context.Authentication.SignIn(properties, identity); return Redirect(properties.RedirectUri ?? "/"); diff --git a/sandbox/OpenIddict.Sandbox.AspNetCore.Client/Controllers/AuthenticationController.cs b/sandbox/OpenIddict.Sandbox.AspNetCore.Client/Controllers/AuthenticationController.cs index de3ec8ef3..19a47490f 100644 --- a/sandbox/OpenIddict.Sandbox.AspNetCore.Client/Controllers/AuthenticationController.cs +++ b/sandbox/OpenIddict.Sandbox.AspNetCore.Client/Controllers/AuthenticationController.cs @@ -199,7 +199,24 @@ public async Task LogInCallback() // Build the authentication properties based on the properties that were added when the challenge was triggered. var properties = new AuthenticationProperties(result.Properties.Items) { - RedirectUri = result.Properties.RedirectUri ?? "/" + RedirectUri = result.Properties.RedirectUri ?? "/", + + // Set the creation and expiration dates of the ticket to null to decorrelate the lifetime + // of the resulting authentication cookie from the lifetime of the identity token returned by + // the authorization server (if applicable). In this case, the expiration date time will be + // automatically computed by the cookie handler using the lifetime configured in the options. + // + // Applications that prefer binding the lifetime of the ticket stored in the authentication cookie + // to the identity token returned by the identity provider can remove or comment these two lines: + IssuedUtc = null, + ExpiresUtc = null, + + // Note: this flag controls whether the authentication cookie that will be returned to the + // browser will be treated as a session cookie (i.e destroyed when the browser is closed) + // or as a persistent cookie. In both cases, the lifetime of the authentication ticket is + // always stored as protected data, preventing malicious users from trying to use an + // authentication cookie beyond the lifetime of the authentication ticket itself. + IsPersistent = false }; // If needed, the tokens returned by the authorization server can be stored in the authentication cookie. diff --git a/sandbox/OpenIddict.Sandbox.AspNetCore.Server/Controllers/AuthenticationController.cs b/sandbox/OpenIddict.Sandbox.AspNetCore.Server/Controllers/AuthenticationController.cs index 3a59d2581..593fad196 100644 --- a/sandbox/OpenIddict.Sandbox.AspNetCore.Server/Controllers/AuthenticationController.cs +++ b/sandbox/OpenIddict.Sandbox.AspNetCore.Server/Controllers/AuthenticationController.cs @@ -90,7 +90,24 @@ public async Task LogInCallback() // Build the authentication properties based on the properties that were added when the challenge was triggered. var properties = new AuthenticationProperties(result.Properties.Items) { - RedirectUri = result.Properties.RedirectUri ?? "/" + RedirectUri = result.Properties.RedirectUri ?? "/", + + // Set the creation and expiration dates of the ticket to null to decorrelate the lifetime + // of the resulting authentication cookie from the lifetime of the identity token returned by + // the authorization server (if applicable). In this case, the expiration date time will be + // automatically computed by the cookie handler using the lifetime configured in the options. + // + // Applications that prefer binding the lifetime of the ticket stored in the authentication cookie + // to the identity token returned by the identity provider can remove or comment these two lines: + IssuedUtc = null, + ExpiresUtc = null, + + // Note: this flag controls whether the authentication cookie that will be returned to the + // browser will be treated as a session cookie (i.e destroyed when the browser is closed) + // or as a persistent cookie. In both cases, the lifetime of the authentication ticket is + // always stored as protected data, preventing malicious users from trying to use an + // authentication cookie beyond the lifetime of the authentication ticket itself. + IsPersistent = false }; // If needed, the tokens returned by the authorization server can be stored in the authentication cookie.