Is ticket renewal working as designed?

[IFYates]

Hi. I'm not raising this as an issue incase I've misunderstood, but I wonder if current expiration logic is as expected.

This article states that the cookie is re-issued:

with a new expiration time any time it processes a request which is more than halfway through the expiration window

It looks like this is achieved through setting _shouldRenew to true:

aspnetcore/src/Security/Authentication/Cookies/src/CookieAuthenticationHandler.cs

Line 108 in 4fdc35d

_shouldRefresh = true;

However, I can't see that this value ever goes false again, so every subsequent request causes a call to RenewAsync.

In my tests, setting the ExpireTimeSpan of the CookieAuthenticationOptions instance to (e.g.) 10 minutes correctly exposes the cookie on the creation response, and then not again until 5 minutes later. However, every response after that first 5 minutes includes the cookie with an updated expiry time.

It's not causing us any issues, but it seemed odd so thought I'd reach out.

Cheers

[Tratcher]

CookieAuthenticationHandler should be re-created per request so that should be resetting the _shouldRefresh field. If you're somehow re-using the CookieAuthenticationHandler across requests that would be bad.

[IFYates]

Thanks. That makes sense. That explains another issue we're seeing, all related to the token issue time being incorrect.