U4-7821 - KeepUserLoggedIn with a long umbracoTimeOutInMinutes has logout issues

Created by Shannon Deminick 25 Jan 2016, 09:54:09 Updated by Shannon Deminick 09 Feb 2016, 09:34:50

Relates to: U4-7495

If you set KeepUserLoggedIn with a high value such as 9999 for umbracoTimeOutInMinutes the user will get logged out of the back office after a period of time (i.e. 30+ minutes). This seems to be due to the ticket not being renewed often enough since by default it is only renewed at half the time of the umbracoTimeOutInMinutes value set.

We need to be able to have a long umbracoTimeOutInMinutes value so that the cookie and ticket persists for the specified period of time, but need to ensure the ticket is renewed often enough to not get logged out.

It would also be great to figure out why the user would get logged out since in theory this shouldn't happen.

Comments

Shannon Deminick 02 Feb 2016, 11:14:13

Part of this issue could to be how OWIN is working with cookies, this PR demonstrates a potential issue (though this is for ASPNETCORE... but it's the same code)

https://github.com/aspnet/Security/pull/286

I've logged an issue for the current OWIN Cookies project: https://katanaproject.codeplex.com/workitem/443 , we'll see what they respond with. In the meantime, I've made this change to our UmbracoBackOfficeCookieAuthOptions class. This is used when the GetUserSeconds endpoint is called. Though, I can't see this being the exact cause because the ticket will only get renewed half way from 9999 (so around 500 minutes) and it seems the cookie is being terminated after about 30+ minutes.

I'm just running some tests locally to see if i can replicate. In the meantime, I have committed this change:

rev: 6583ff443973388bc2030769ab26fda550533889


Shannon Deminick 02 Feb 2016, 12:22:01

I can replicate the issue now, investigating now.


Shannon Deminick 02 Feb 2016, 14:14:24

Ok, I have figured out the issue:

  • We have implemented IUserSecurityStampStore to track the security stamp for users in ASP.Net Identity
  • We use the SecurityStampValidator to force logout when the security stamp doesn't match the current user
  • This is by default configured to check every 30 minutes (this is configurable via code on startup if you override some identity settings)
  • The problem is, this will always force log out the user because the security stamp stored in the db doesn't equal the security stamp associated to the current user's Claims
  • This is because I didn't realize that that the security stamp claim is hard coded. We can work around this but have raised an issue: https://katanaproject.codeplex.com/workitem/444

To fix we need to force this claim type into the user's current claim list. The cookie that we store stores the security stamp as the 'sessionId', we weren't doing this before so there's no way we could have set the security stamp claim based on the current user's cookie.


Shannon Deminick 02 Feb 2016, 14:16:39

For review:

  • Rev: 42a7ed6877fadec65f28c088b3b6b72b11d19941
  • Change KeepUserLoggedIn = true
  • Change umbracoTimeOutInMinutes = 9999
  • To test: Go to AppBuilderExtensions.UseUmbracoBackOfficeCookieAuthentication change the TimeSpan.FromMinutes(30) in the SecurityStampValidator.OnValidateIdentity to something low to test like: TimeSpan.FromMinutes(2)
  • Clear your cookies
  • Log in to the back office
  • Don't do anything, just wait 2+ minutes
  • Click on a content node
  • You should remain logged in - and you should get another cookie issued in your response

DO NOT COMMIT the TimeSpan.FromMinutes(2) testing change!


Sebastiaan Janssen 02 Feb 2016, 14:40:03

Seems to work, let's see if @Knickerbocker can break it again ;-)


Nicholas Westby 02 Feb 2016, 17:13:45

@sebastiaan Ha. I'll try to find some time tonight to test it.


Nicholas Westby 03 Feb 2016, 05:54:43

@sebastiaan Looks like I couldn't find any time (super busy at work). Perhaps this weekend.


Nicholas Westby 07 Feb 2016, 20:12:24

So far so good. I spent a few hours on Friday developing in 7.3.7 without any logout issues.


Shannon Deminick 09 Feb 2016, 09:34:50

Great!


Priority: Normal

Type: Bug

State: Fixed

Assignee:

Difficulty: Normal

Category:

Backwards Compatible: True

Fix Submitted:

Affected versions: 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5

Due in version: 7.3.7

Sprint: Sprint 8

Story Points:

Cycle: