Expiration, Lifetime, and Settings

After successful authentication, the application creates a server side authentication cookie that holds an encrypted authentication ticket.

There are a few different settings for controlling the cookie and token expiration.

AuthCookieSlidingEpirationInMinutes:

This appSettings setting controls the lifetime of the cookie. If the client does not contact the server, the authentication cookie will expire and get deleted after AuthCookieSlidingEpirationInMinutes minutes. The expiration time is "sliding", meaning that whenever the client does contact the server, the cookie expiration is extended to another AuthCookieSlidingEpirationInMinutes minutes. If no other measurements were in place, this would mean that the client could keep refreshing the cookie indefinitely!

AuthTokenHardExpirationInMinutes:

To prevent the client from refreshing the cookie indefinitely, the AuthTokenHardExpirationInMinutes setting acts a maximum lifetime for the cookie. Even if the client tries to refresh the cookie, by making periodic requests to the server, the cookie (authentication ticket) will get rejected after AuthTokenHardExpirationInMinutes minutes and the cookie will get deleted.

JWT Expiration:

The authentication ticket (saved in the cookie) holds a People Planner JWT. This JWT has its own expiration timestamp. This means that even with the abovementioned mechanism of refreshing the cookie, the JWT will still expire and is not affected by the cookie refresh.

The lifetime of the JWT is controlled by the Maconomy coupling service security configuration. To change the JWT expiration of the token issued by Maconomy, edit the coupling service security configuration. Note that the coupling service must be restarted for the change to take effect.