aspnet · natemcmaster · Jul 5, 2017 · Jul 5, 2017 · Jul 5, 2017
diff --git a/src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationHandler.cs b/src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationHandler.cs
@@ -270,14 +270,14 @@ public async virtual Task SignInAsync(ClaimsPrincipal user, AuthenticationProper
 
             if (!signInContext.Properties.ExpiresUtc.HasValue)
             {
-                signInContext.Properties.ExpiresUtc = issuedUtc.Add(Options.Cookie.Expiration ?? default(TimeSpan));
+                signInContext.Properties.ExpiresUtc = issuedUtc.Add(Options.ExpireTimeSpan);
             }
 
             await Events.SigningIn(signInContext);
 
             if (signInContext.Properties.IsPersistent)
             {
-                var expiresUtc = signInContext.Properties.ExpiresUtc ?? issuedUtc.Add(Options.Cookie.Expiration ?? default(TimeSpan));
+                var expiresUtc = signInContext.Properties.ExpiresUtc ?? issuedUtc.Add(Options.ExpireTimeSpan);
                 signInContext.CookieOptions.Expires = expiresUtc.ToUniversalTime();
             }
 

diff --git a/src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationOptions.cs b/src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationOptions.cs
@@ -21,14 +21,14 @@ public class CookieAuthenticationOptions : AuthenticationSchemeOptions
             SameSite = SameSiteMode.Lax,
             HttpOnly = true,
             SecurePolicy = CookieSecurePolicy.SameAsRequest,
-            Expiration = TimeSpan.FromDays(14),
         };
 
         /// <summary>
         /// Create an instance of the options initialized with the default values
         /// </summary>
         public CookieAuthenticationOptions()
         {
+            ExpireTimeSpan = TimeSpan.FromDays(14);
             ReturnUrlParameter = CookieAuthenticationDefaults.ReturnUrlParameter;
             SlidingExpiration = true;
             Events = new CookieAuthenticationEvents();
@@ -42,7 +42,6 @@ public CookieAuthenticationOptions()
         /// <seealso cref="CookieBuilder.SameSite"/> defaults to <see cref="SameSiteMode.Lax"/>.
         /// <seealso cref="CookieBuilder.HttpOnly"/> defaults to <c>true</c>.
         /// <seealso cref="CookieBuilder.SecurePolicy"/> defaults to <see cref="CookieSecurePolicy.SameAsRequest"/>.
-        /// <seealso cref="CookieBuilder.Expiration"/> defaults to 14 days.
         /// </para>
         /// </summary>
         /// <remarks>
@@ -60,9 +59,7 @@ public CookieAuthenticationOptions()
         /// The default is true, which means the cookie will only be passed to http requests and is not made available to script on the page.
         /// </para>
         /// <para>
-        /// <seealso cref="CookieBuilder.Expiration"/> controls how much time the cookie will remain valid from the point it is created. The expiration
-        /// information is in the protected cookie ticket. Because of that an expired cookie will be ignored
-        /// even if it is passed to the server after the browser should have purged it
+        /// <seealso cref="CookieBuilder.Expiration"/> is currently ignored. Use <see cref="ExpireTimeSpan"/> to control lifetime of cookie authentication.
         /// </para>
         /// </remarks>
         public CookieBuilder Cookie
@@ -140,6 +137,19 @@ public CookieBuilder Cookie
         /// </summary>
         public ITicketStore SessionStore { get; set; }
 
+        /// <summary>
+        /// <para>
+        /// Controls how much time the authentication ticket stored in the cookie will remain valid from the point it is created
+        /// The expiration information is stored in the protected cookie ticket. Because of that an expired cookie will be ignored
+        /// even if it is passed to the server after the browser should have purged it.
+        /// </para>
+        /// <para>
+        /// This is separate from the value of <seealso cref="CookieOptions.Expires"/>, which specifies
+        /// how long the browser will keep the cookie.
+        /// </para>
+        /// </summary>
+        public TimeSpan ExpireTimeSpan { get; set; }
+
         #region Obsolete API
         /// <summary>
         /// <para>
@@ -201,23 +211,6 @@ public CookieBuilder Cookie
         /// </summary>
         [Obsolete("This property is obsolete and will be removed in a future version. The recommended alternative is " + nameof(Cookie) + "." + nameof(CookieBuilder.SecurePolicy) + ".")]
         public CookieSecurePolicy CookieSecure { get => Cookie.SecurePolicy; set => Cookie.SecurePolicy = value; }
-
-        /// <summary>
-        /// <para>
-        /// This property is obsolete and will be removed in a future version. The recommended alternative is <seealso cref="CookieBuilder.Expiration"/> on <see cref="Cookie"/>.
-        /// </para>
-        /// <para>
-        /// Controls how much time the cookie will remain valid from the point it is created. The expiration
-        /// information is in the protected cookie ticket. Because of that an expired cookie will be ignored
-        /// even if it is passed to the server after the browser should have purged it
-        /// </para>
-        /// </summary>
-        [Obsolete("This property is obsolete and will be removed in a future version. The recommended alternative is " + nameof(Cookie) + "." + nameof(CookieBuilder.Expiration) + ".")]
-        public TimeSpan ExpireTimeSpan
-        {
-            get => Cookie.Expiration ?? default(TimeSpan);
-            set => Cookie.Expiration = value;
-        }
         #endregion
     }
 }
diff --git a/...soft.AspNetCore.Authentication.Cookies/Microsoft.AspNetCore.Authentication.Cookies.csproj b/...soft.AspNetCore.Authentication.Cookies/Microsoft.AspNetCore.Authentication.Cookies.csproj
@@ -19,8 +19,4 @@
     <ProjectReference Include="..\Microsoft.AspNetCore.Authentication\Microsoft.AspNetCore.Authentication.csproj" />
   </ItemGroup>
 
-  <ItemGroup>
-    <Folder Include="Properties\" />
-  </ItemGroup>
-
 </Project>
diff --git a/test/Microsoft.AspNetCore.Authentication.Test/CookieTests.cs b/test/Microsoft.AspNetCore.Authentication.Test/CookieTests.cs
@@ -143,6 +143,23 @@ public async Task SignInCausesDefaultCookieToBeCreated()
             Assert.DoesNotContain("; secure", setCookie);
         }
 
+        [Fact]
+        public async Task CookieExpirationOptionIsIgnored()
+        {
+            var server = CreateServerWithServices(s => s.AddAuthentication().AddCookie(o =>
+            {
+                o.Cookie.Name = "TestCookie";
+                // this is currently ignored. Users should set o.ExpireTimeSpan instead
+                o.Cookie.Expiration = TimeSpan.FromDays(10);
+            }), SignInAsAlice);
+
+            var transaction = await SendAsync(server, "http://example.com/testpath");
+
+            var setCookie = transaction.SetCookie;
+            Assert.StartsWith("TestCookie=", setCookie);
+            Assert.DoesNotContain("; expires=", setCookie);
+        }
+
         [Fact]
         public async Task SignInWrongAuthTypeThrows()
         {
@@ -277,7 +294,7 @@ public async Task CookieStopsWorkingAfterExpiration()
         {
             var server = CreateServer(o =>
             {
-                o.Cookie.Expiration = TimeSpan.FromMinutes(10);
+                o.ExpireTimeSpan = TimeSpan.FromMinutes(10);
                 o.SlidingExpiration = false;
             }, SignInAsAlice);
 
@@ -306,7 +323,7 @@ public async Task CookieExpirationCanBeOverridenInSignin()
         {
             var server = CreateServer(o =>
             {
-                o.Cookie.Expiration = TimeSpan.FromMinutes(10);
+                o.ExpireTimeSpan = TimeSpan.FromMinutes(10);
                 o.SlidingExpiration = false;
             },
             context =>
@@ -339,7 +356,7 @@ public async Task ExpiredCookieWithValidatorStillExpired()
         {
             var server = CreateServer(o =>
             {
-                o.Cookie.Expiration = TimeSpan.FromMinutes(10);
+                o.ExpireTimeSpan = TimeSpan.FromMinutes(10);
                 o.Events = new CookieAuthenticationEvents
                 {
                     OnValidatePrincipal = ctx =>
@@ -367,7 +384,7 @@ public async Task CookieCanBeRejectedAndSignedOutByValidator()
         {
             var server = CreateServer(o =>
             {
-                o.Cookie.Expiration = TimeSpan.FromMinutes(10);
+                o.ExpireTimeSpan = TimeSpan.FromMinutes(10);
                 o.SlidingExpiration = false;
                 o.Events = new CookieAuthenticationEvents
                 {
@@ -395,7 +412,7 @@ public async Task CookieNotRenewedAfterSignOut()
         {
             var server = CreateServer(o =>
             {
-                o.Cookie.Expiration = TimeSpan.FromMinutes(10);
+                o.ExpireTimeSpan = TimeSpan.FromMinutes(10);
                 o.SlidingExpiration = false;
                 o.Events = new CookieAuthenticationEvents
                 {
@@ -431,7 +448,7 @@ public async Task CookieCanBeRenewedByValidator()
         {
             var server = CreateServer(o =>
             {
-                o.Cookie.Expiration = TimeSpan.FromMinutes(10);
+                o.ExpireTimeSpan = TimeSpan.FromMinutes(10);
                 o.SlidingExpiration = false;
                 o.Events = new CookieAuthenticationEvents
                 {
@@ -476,7 +493,7 @@ public async Task CookieCanBeRenewedByValidatorWithSlidingExpiry()
         {
             var server = CreateServer(o =>
             {
-                o.Cookie.Expiration = TimeSpan.FromMinutes(10);
+                o.ExpireTimeSpan = TimeSpan.FromMinutes(10);
                 o.Events = new CookieAuthenticationEvents
                 {
                     OnValidatePrincipal = ctx =>
@@ -520,7 +537,7 @@ public async Task CookieValidatorOnlyCalledOnce()
         {
             var server = CreateServer(o =>
             {
-                o.Cookie.Expiration = TimeSpan.FromMinutes(10);
+                o.ExpireTimeSpan = TimeSpan.FromMinutes(10);
                 o.SlidingExpiration = false;
                 o.Events = new CookieAuthenticationEvents
                 {
@@ -569,7 +586,7 @@ public async Task ShouldRenewUpdatesIssuedExpiredUtc(bool sliding)
             DateTimeOffset? lastExpiresDate = null;
             var server = CreateServer(o =>
             {
-                o.Cookie.Expiration = TimeSpan.FromMinutes(10);
+                o.ExpireTimeSpan = TimeSpan.FromMinutes(10);
                 o.SlidingExpiration = sliding;
                 o.Events = new CookieAuthenticationEvents
                 {
@@ -619,7 +636,7 @@ public async Task CookieExpirationCanBeOverridenInEvent()
         {
             var server = CreateServer(o =>
             {
-                o.Cookie.Expiration = TimeSpan.FromMinutes(10);
+                o.ExpireTimeSpan = TimeSpan.FromMinutes(10);
                 o.SlidingExpiration = false;
                 o.Events = new CookieAuthenticationEvents()
                 {
@@ -656,7 +673,7 @@ public async Task CookieIsRenewedWithSlidingExpiration()
         {
             var server = CreateServer(o =>
             {
-                o.Cookie.Expiration = TimeSpan.FromMinutes(10);
+                o.ExpireTimeSpan = TimeSpan.FromMinutes(10);
                 o.SlidingExpiration = true;
             },
             SignInAsAlice);