We currently have an Angular app that is connecting to a ServiceStack API and sending through cookies. We have a custom credentials provider that either accepts username/ password or an internal id. We noticed that when the internal id is sent through, occasionally the cookies are reject by the validation attribute. On further investigation, it looks like when the internal id is sent through, the ss-opt is set to temp.
Is this the code I need to force permanent cookies?
Also, what is the default expiration of the ss-id and ss-pid cookies?
ss-opt cookie just needs to be set to
ss-opt=perm, either set by client or server.
ss-id is a Temporary "Session Cookie", i.e. they don't have an expiry and expire "When the Session Ends" which usually meant when the browser is closed but some browsers like Chrome and Firefox "Restore last Session" feature will preserve session cookies.
Thanks for the quick response. Yes, this is our understanding as well. We noticed the base authentication attribute returning an Unauthorised error after a random time like 30 minutes. I have also confirmed that the browser session was not closed in the Angular app either.
When the user logs in, they do not set "Remember Me".
Do you recommend that we still set ss-opt=perm in this scenario?
That's up to you, but if you're going to give them the
RememberMe option you shouldn't contradict their preference by choosing to use the permanent cookie instead. That's what
RememberMe controls whether to save their session against their permanent
ss-pid or temporary
If you always want them to use the
ss-pid permanent cookie don't show them the option, just always send
ss-pid Cookie is set to expire in 20 years, it's only valid for how long their Authenticated UserSession is stored on the Server (i.e. ICacheClient). The
ss-pid Cookie gets cleared if
/auth/logout is explicitly called or if they clear their own Cookies.
This is a FYI:
Safari 12.1+ with Intelligent Tracking Prevention makes any client side cookie expire after 7 days, even if it is set to expire longer.
Will This Change Log Users Out?
Authentication cookies should be Secure and HttpOnly
to protect them against man-in-the-middle attacks, cross-site scripting
attacks, and speculative execution attacks. Cookies created through
document.cookie cannot be HttpOnly which means authentication cookies
should not be affected by the lifetime cap. If they are, you need to set
your authentication cookies in an HTTP response and mark them Secure
Only cookies created through document.cookie are affected by this change.The change covers cookies created in first-party contexts as well as in third-party iframes.Session cookies are not affected, they remain session cookies.Persistent cookies that have an expiry shorter than seven days keep their shorter expiry.
Thanks for the information.