Configure authentication expiration
There are several cookies and tokens used by Sitefinity, each of them having different expiration time. Use the following procedures to configure it:
Relying party cookie
This is the cookie used for the authenticated user on the Relying party (.AspNet.Cookies).
To configure it, perform the following:
- Navigate to Administration » Settings » Advanced.
- In the left pane, expand Authentication and click RelyingParty.
- If you want to enable or disable sliding expiration, use the Authentication cookie sliding expiration checkbox.
By default this setting is enabled.
- You can also change the default expiration time in Authentication cookie expiration time input field.
- Save your changes.
IdentityServer cookie
This is the cookie used for the authenticated user on the Secured Token Service (idsrv).
To configure it, perform the following:
- Navigate to Administration » Settings » Advanced.
- In the left pane, expand Authentication and click SecurityTokenService » IdentityServer.
- Change the default expiration time from the Cookie remember me duration input field.
- Save your changes.
Security Token Service tokens
IdentityServer3 provides four types of tokens: Identity token, Access token, Refresh token, Authorization code. Their expiration times are configured per client application. To configure them, perform the following:
- Navigate to Administration » Settings » Advanced.
- In the left pane, expand Authentication » SecurityTokenService » IdentityServer » Clients.
- Choose the client you want to configure.
- Configure the tokens:
- Identity token lifetime.
Default is 300 seconds (5 minutes)
- Access token lifetime.
Default is 3600 seconds (1 hour)
- Refresh token
- Refresh token expiration - choose from Sliding or Absolute
- Sliding refresh token expiration.
Default is 1296000 seconds (15 days)
- Absolute refresh token expiration.
Default is 2592000 seconds (30 days)
- Authorization code lifetime.
Default is 300 seconds (5 minutes)
- Save your changes.