add cached on logout with revoke cookie identity key (#605)

* add cached on logout with revoke cookie identity key * properly signout as recommended : https://docs.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-5.0#react-to-back-end-changes * add remark regarding multi-host scenario * Update src/Web/Configuration/RevokeAuthenticationEvents.cs Co-authored-by: Steve Smith <steve@kentsmiths.com>
2021-11-01 14:49:53 +01:00
parent 68beb21f07
commit 5d34222f28
3 changed files with 64 additions and 7 deletions
--- a/src/Web/Configuration/ConfigureCookieSettings.cs
+++ b/src/Web/Configuration/ConfigureCookieSettings.cs
@@ -7,6 +7,9 @@ namespace Microsoft.eShopWeb.Web.Configuration
 {
    public static class ConfigureCookieSettings
    {
+        public const int ValidityMinutesPeriod = 60;
+        public const string IdentifierCookieName = "EshopIdentifier";
+
        public static IServiceCollection AddCookieSettings(this IServiceCollection services)
        {
            services.Configure<CookiePolicyOptions>(options =>
@@ -18,16 +21,20 @@ namespace Microsoft.eShopWeb.Web.Configuration
            });
            services.ConfigureApplicationCookie(options =>
            {
+                options.EventsType = typeof(RevokeAuthenticationEvents);
                options.Cookie.HttpOnly = true;
-                options.ExpireTimeSpan = TimeSpan.FromHours(1);
+                options.ExpireTimeSpan = TimeSpan.FromMinutes(ValidityMinutesPeriod);
                options.LoginPath = "/Account/Login";
                options.LogoutPath = "/Account/Logout";
                options.Cookie = new CookieBuilder
                {
+                    Name = IdentifierCookieName,
                    IsEssential = true // required for auth to work without explicit user consent; adjust to suit your privacy policy
                };
            });

+            services.AddScoped<RevokeAuthenticationEvents>();
+
            return services;
        }
    }