use non-session cookies in bundle with an expiration date

gpcaretti · web-flow · commit 50779dfca4a4 · 2017-11-28T12:23:07.000+01:00
Many browsers do not clean up session cookies when you close them. So the rule of thumb must be: For having a consistent behaviour across all browsers, don't rely solely on browser behaviour for proper clean-up of session cookies. It is safer to use non-session cookies (IsPersistent == true) in bundle with an expiration date. See http://blog.petersondave.com/cookies/Session-Cookies-in-Chrome-Firefox-and-Sitecore/
diff --git a/src/AbpCompanyName.AbpProjectName.WebMpa/Controllers/AccountController.cs b/src/AbpCompanyName.AbpProjectName.WebMpa/Controllers/AccountController.cs
@@ -139,7 +139,21 @@ private async Task SignInAsync(User user, ClaimsIdentity identity = null, bool r
             }
 
             _authenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
-            _authenticationManager.SignIn(new AuthenticationProperties { IsPersistent = rememberMe }, identity);
+            // Many browsers do not clean up session cookies when you close them. So the rule of thumb must be:
+            // For having a consistent behaviour across all browsers, don't rely solely on browser behaviour for proper clean-up
+            // of session cookies. It is safer to use non-session cookies (IsPersistent == true) in bundle with an expiration date.
+            // See http://blog.petersondave.com/cookies/Session-Cookies-in-Chrome-Firefox-and-Sitecore/
+            if (rememberMe) {
+                _authenticationManager.SignIn(new AuthenticationProperties { IsPersistent = true }, identity);
+            } else {
+                _authenticationManager.SignIn(
+                    new AuthenticationProperties
+                    {
+                        IsPersistent = true,
+                        ExpiresUtc = DateTimeOffset.UtcNow.AddMinutes(int.Parse(System.Configuration.ConfigurationManager.AppSettings["AuthSession.ExpireTimeInMinutes.WhenNotPersistet"] ?? "30"))
+                    },
+                    identity);
+            }
         }
 
         private Exception CreateExceptionForFailedLoginAttempt(AbpLoginResultType result, string usernameOrEmailAddress, string tenancyName)
@@ -547,4 +561,4 @@ public PartialViewResult _AccountLanguages()
 
         #endregion
     }
-}
+}
