2

We have created a vb.net web app, it is secured with Azure AD easy auth.

The custom token policy has been created to log the user out after 20 minutes of inactivity, but the user always remains logged in for 8 hours.

Azure support have advised that this is because of the session cookie used when using easy auth over-riding the token policy. They also advise this cannot be changed from 8 hours which is far too long for a web app containing sensitive data.

Has anyone come across this or know of a workaround? As easy auth is “code-less” there seems to be nothing I can do in my project to affect this.

Improve this question

1 Answer 1

Reset to default
2

I think your Azure Support contact recently asked me about this case. Unfortunately the cookie lifetime is hard-coded at 8 hours. We can add support for making this configurable or to have it match the Azure AD token lifetime, but unfortunately it would take some time before such a change would be able to reach production.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks Chris - I really appreciate you taking the time to get back to me on this. I think it would be a useful addition to be able to do this, particularly for apps containing sensitive information.
Has there been some changes regarding setup of cookie lifetime? In my scenario I would like for it to have a long as possible lifetime

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.