#StackBounty: #reactjs #asp.net-core #cookies #identityserver4 Authentication cookie disappears in react SPA after some time

Bounty: 50

We have an SPA, written in React together with ASP.net core for hosting.

To authenticate the app, we are using IdentityServer4 and use a cookie. The client is configured according to the sample, described here: https://github.com/IdentityServer/IdentityServer4/tree/main/samples/Quickstarts/4_JavaScriptClient/src

For authenticating a user, everythings works fine. It will be redirected to the login page. After signing in, redirection to the SPA is done. The authentiation cookie is set as expected with:

  • HttpOnly = true
  • Secure = true
  • SameSite = None
  • Expires / Max-age = one week from login time

In the ASP.net core project for the SPA, in Startup.cs, data protection is also configured as:

services.Configure<CookiePolicyOptions>(options =>
{                                                        
  options.CheckConsentNeeded = context => false;
  options.MinimumSameSitePolicy = SameSiteMode.None;
});

services.AddDataProtection()
  .PersistKeysToFileSystem(new DirectoryInfo(_sharedAuthTicketKeys))
  .SetApplicationName("SharedCookieApp");

Our issue:

After about 30 minutes, the authentication cookie (and only that, other remains) is disappearing from the browser automatically. Then the user has to sign in again. Why does this happen together with the SPA?

In another MVC application, the user has to sign in again when the cookie expires, as expected.

Update

In the meantime I discovered that the cookie, while requesting https://ourdomain/.well-known/openid-configuration after 30 minutes idle time, has lost the values of Domain, Path, Expires/Max-Age, HttpOnly, Secure and SameSite.None. Those values have definitely been set after signing in.
The response cookie has the value of Expires/Max-Age set to a time in the past and therefore the cookie will be dropped by the browser.
Network traffic

Has anyone an idea, why those values got lost after some time?


Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.