question

nitinpawar-8572 avatar image
0 Votes"
nitinpawar-8572 asked nitinpawar-8572 answered

OnAuthorization Is Not Getting Called while trying to access application after Session Timeout

I am working on .NET Core 3.1 MVC project. I have added custom authorization using IAuthorizationFilter.

for testing purpose I have set session timeout as one minute and added below configuration in ConfigureServices method of startup.cs.

services.AddAuthentication(x =>
{
x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(x =>
{
x.RequireHttpsMetadata = false;
x.SaveToken = true;
x.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(key)),
ValidateIssuer = false,
ValidateAudience = false
};
}).AddCookie(options =>
{
options.LoginPath = "/Account/login";
options.AccessDeniedPath = "/Account/login";
options.ExpireTimeSpan = TimeSpan.FromSeconds(10);
});

However, after session timeout when I refresh the page, I am getting below error page. (typical 401 error page)

This page isn’t working
If the problem continues, contact the site owner.
HTTP ERROR 401

Constructor of Custom Authorization class ALWAYS gets called however public void OnAuthorization(AuthorizationFilterContext context) method does NOT get called after session timout.

Please let me know how this can be resolved ?

dotnet-aspnet-core-mvc
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The configuration shows two middleware authentication and authorization services; Cookie and JWT. The authentication cookie expires in 10 seconds which is what I assume causes the 401 since it expires before Session's 1 minute timeout setting. When using two different authorization schemes you must set one as the default and/or assign an authorization scheme to an action/Razor Page.

I don't see where Session is configured or the custom filter is used. Can you explain how Session works in your authorization design?

You might be interested in these reference docs.
Authorize with a specific scheme in ASP.NET Core
Overview of ASP.NET Core authentication


0 Votes 0 ·

Hi @nitinpawar-8572,

From your code, you are configuring the application use two authentication methods: JWT and Cookie. And by default, you are using the JWT authentication, if that's the case, after getting the token, how do you store it on the client side and add it in the next request, can you share the relate code?

I also create a custom authorization attribute and configure the application use JWT and Cookie authentication, when I access the action method which use the custom authorization attribute, it will go to the authorization method. So, can you post the relate code about the custom Authorization attribute, and how to use it in your application?

0 Votes 0 ·
nitinpawar-8572 avatar image
0 Votes"
nitinpawar-8572 answered

I am using custom authorization for use login management. below is the code.. the constructor of the code is getting called every time (even after session timeout however the method OnAuthorization (AuthorizationFilterContext context) is not getting called after session timeout

public class CustomAuthorizeAttribute : TypeFilterAttribute
{
public CustomAuthorizeAttribute() : base(typeof(CustomAuthorizeFilter))
{

     }
 }

 public class CustomAuthorizeFilter : IAuthorizationFilter
 {
      

     public CustomAuthorizeFilter()
     {
           
     }

     public void OnAuthorization(AuthorizationFilterContext context)
     {
         //Logic to authenticate user based on context
     }
 }


I want OnAuthorization(AuthorizationFilterContext context) to be called even after session timeout, this is the only requirement , please advise.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

nitinpawar-8572 avatar image
0 Votes"
nitinpawar-8572 answered

This has been resolved. Below code was creating issue (not sure the reason behind it). Removed the same.

   services.AddControllersWithViews(options =>
         {
             var policy = new AuthorizationPolicyBuilder()
                 .RequireAuthenticatedUser()
                 .Build();
             options.Filters.Add(new AuthorizeFilter(policy));
         });

Thanks all for your advise.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.