#390 Make the nonce cookie expire.

src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectAuthenticationHandler.cs

@@ -666,7 +666,8 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
                 new CookieOptions
                 {
                     HttpOnly = true,
-                    Secure = Request.IsHttps
+                    Secure = Request.IsHttps,
+                    Expires = DateTime.UtcNow + Options.ProtocolValidator.NonceLifetime
                 });
         }
 

src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectAuthenticationOptions.cs

@@ -169,7 +169,11 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
         /// is valid per: http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation 
         /// </summary>
         /// <exception cref="ArgumentNullException">if 'value' is null.</exception>
-        public OpenIdConnectProtocolValidator ProtocolValidator { get; set; } = new OpenIdConnectProtocolValidator { RequireState = false };
+        public OpenIdConnectProtocolValidator ProtocolValidator { get; set; } = new OpenIdConnectProtocolValidator()
+        {
+            RequireState = false,
+            NonceLifetime = TimeSpan.FromMinutes(15)
+        };
 
         /// <summary>
         /// Gets or sets the 'post_logout_redirect_uri'

test/Microsoft.AspNet.Authentication.Test/OpenIdConnect/OpenIdConnectMiddlewareTests.cs

@@ -83,6 +83,7 @@ namespace Microsoft.AspNet.Authentication.Tests.OpenIdConnect
             });
             var transaction = await SendAsync(server, DefaultHost + Challenge);
             transaction.SetCookie.Single().ShouldContain(OpenIdConnectAuthenticationDefaults.CookieNoncePrefix);
+            transaction.SetCookie.Single().ShouldContain("Expires");
         }
 
         [Fact]