Can't detect when an Authentication Cookie expires in Blazor (server-side)

[RodDaSilva]

I have an ASPNetCore MVC + AspNetIdentity + EF web app which I can login into as an authenticated user (i.e.; standard AspNetIdentity demo). The app also hosts a Blazor SPA app (server side) as a child page. I use this SPA app as the applications "Dashboard". Everything is working great in that I can Log in to the MVC app using the default AspNetIdentity Login UI, and then navigate from my MVC home page to the Blazor SPA Dashboard page, and from the SPA Dashboard page back to the main MVC home page again. I like this because it allows me to cleanly separate the "static" pages portion of my MVC application from the code intensive Dashboard portion in the form of a C# Blazor SPA. As someone who never bothered to learn JavaScript, needless to say, I am a happy monkey with this web app pattern.

However, I want to automatically time out the session if it has been idle for say 5 minutes. This is done by setting the application cookie timeout as in:

         // Configure the application cookie (controls the users session) timeout
        services.ConfigureApplicationCookie(options =>
        {
            options.ExpireTimeSpan = TimeSpan.FromSeconds(300);

and works great in the MVC app in that if I leave the app idle on one of the MVC pages for more than 5 minutes, I get automatically logged out on next user activity (i.e.; page request).

However, when I log in and then switch to one of the SPA Blazor pages and then allow the 5 minutes to pass, I can still click around within the SPA app's razor pages without being logged out. The SPA app doesn't know my authenticated user session has been timed out. This makes sense to me since Blazor is intercepting the page requests, runs server side code and then sends only the DOM diffs to the web browser via a WebSocket, and as such there is no classic HTTP "page request" to the server that would allow the principal to be validated in the MVC middleware leading to the authentication cookie being timed out and the user subsequently being logged out.

As you might expect, the moment I click the link to return to any of the MVC app pages from any Blazor SPA page, I am of course, immediately logged out (assuming 5 minutes have passed). But that is not enough. I need to be able to timeout an idled Blazor SPA application, from within the SPA, as well.

I have spent a couple of days on this now and can't seem to find away to tell if the underlying user is still logged in from any page in the SPA Blazor app. I place code at the beginning of all Blazor Razor pages (in the form of a simple Razor Component) that DI injects IHttpContextAccessor into the page which ALWAYS provides an authenticated user (i.e.; httpContextAccessor.HttpContext.User.Identity.IsAuthenticated is always true). It is as if this context is ALWAYS the context as it was when the SPA was first entered. This appears to mean that the authenticated User (i.e.; cookies, claims, etc.,) I entered the SPA app with appears to be the one I always work with while in the SPA. That is, it never times out!

I am looking for guidance on how to solve this problem. Hopefully I the framework already somehow supports a way to "refresh" the authentication ticket for the SPA session and I am just missing something.

Any and all thoughts are welcome, because if I can solve this last problem I believe I have a very nice web app pattern here which neatly combines the best of the MVC and the Blazor worlds.

Rod

[mkArtakMSFT]

Thanks for contacting us, @RodDaSilva.
We haven't yet produced any guidance regarding authentication in Blazor. That is something on our radar and we track that work as part of #4048