Need information on Authentication cookie

[Rahul21199]

IdentityServer version

Duende IdentityServer- 7.0.6

.NET version

.net 8

Description

I need some information to understand the expiry of an authentication cookie. From the application tab, I can see it is set to "session," which means the session will close once the browser is closed. However, the code provided below sets the expiry to 10 hours.
https://github.com/DuendeSoftware/products/blob/main/identity-server/src/IdentityServer/Configuration/DependencyInjection/ConfigureInternalCookieOptions.cs#L31

Am I missing something? Any idea how the expiry is handled for the authentication cookie?

Reproduction steps

No response

Expected behavior

No response

Logs

No response

Additional context

No response

[Rahul21199]

i am referring "idsrv.session" cookie
https://github.com/DuendeSoftware/products/blob/main/identity-server/src/IdentityServer/IdentityServerConstants.cs#L17

[RolandGuijt]

idsrv.session is not the authentication cookie.
It exists in addition to the authentication cookie and is derived from the main authentication cookie. It used for the check session endpoint for browser-based JavaScript clients at signout time. It is kept in sync with the authentication cookie, and is removed when the user signs out or the browser session ends.

The code you're referring to (in the original post) is not configuring the "idsrv.session" cookie but the default authentication cookie scheme.

[Rahul21199]

Could you please let me know the expiry time for a user session once it is created?

[RolandGuijt]

You can control that yourself. If you don't configure this, the default cookie lifetime is 10 hours.

Keep in mind that there can be multiple session cookies. I'm talking about the IdentityServer session in this case. If you have server-rendered web applications or BFFs they control their own sessions.