8

HI

I am using asp.net mvc with asp.net membership.

I want to have a checkbox that if clicked keeps the users signed in for 2 weeks(unless they clear their cookies).

So I know their is

FormsAuthentication.SetAuthCookie(userName, createPersistentCookie)

but I don't know how to set it up for 2week retention.

I rewrote most of the membership stuff. So I don't use stuff like Create() and VerifyUser().

chobo2
  • 83,322
  • 195
  • 530
  • 832

5 Answers5

17

Add a hash key or a random string to both the cookie and the database (both the same key). If the cookie and database value are the same, when the user starts a new session, sign him/her in again. When the user reaches the two weeks, remove the secret key from the database using a cronjob (Unix) or scheduled task (Windows).

Warning: Do not rely on the cookie expire date, since people can hack their browser.
Rule: NEVER, EVER trust ANY of your users!

char1es
  • 383
  • 3
  • 18
  • Can you please explain how the hashing of the random string increases the security of your solution? If the hash of the random string is stored in both the database and the cookie, isn't this essentially just the same as storing the random string in both the database and the cookie? – rinogo Dec 10 '10 at 22:05
  • I'm using hash key and random string synonymically. –  Dec 10 '10 at 23:43
5

You can set the global session timeout (the value is in minutes) in web.config eg.

<system.web>
    <authentication mode="Forms">
          <forms timeout="20160"/>
    </authentication>
</system.web>

This will be for all authenticated users. If you want to use the 'Remember Me' functionality then you will need to write your own code to set the cookie/ticket. Something like this (taken from here):

protected void Page_Load()
{
    if (Request.Cookies["username"] == null || Request.Cookies["username"].Value.ToString().Trim() == "")
    {
        Login1.RememberMeSet = true; 
    }
    else
    {
        Login1.UserName = Request.Cookies["username"].Value.ToString().Trim();
        Login1.RememberMeSet = true; 
    }
}
protected void RememberUserLogin()
{
    // Check the remember option for login

    if (Login1.RememberMeSet == true)
    {
        HttpCookie cookie = new HttpCookie("username");
        cookie.Value = Login1.UserName.Trim(); 
        cookie.Expires = DateTime.Now.AddHours(2);

        HttpContext.Current.Response.AppendCookie(cookie);
        Login1.RememberMeSet = true; 

    }
    else if (Login1.RememberMeSet == false)
    {
        HttpContext.Current.Response.Cookies.Remove("username");
        Response.Cookies["username"].Expires = DateTime.Now;
        Login1.RememberMeSet = false; 
    }

}
Muhammad Omar ElShourbagy
  • 6,718
  • 2
  • 32
  • 50
Dan Diplo
  • 25,076
  • 4
  • 67
  • 89
  • 1
    but how about if they don't check the box? won't everyone get that setting? – chobo2 Aug 17 '09 at 23:57
  • Yes, sorry, I misread your question - I will update my response to address your specific question... – Dan Diplo Aug 18 '09 at 08:41
  • I think if I just set the stuff like you have in the web.config but disable sliding expiry then I will get what I want. – chobo2 Aug 19 '09 at 19:53
2

Just use a simple cookie with 2 weeks expiration date.

Traveling Tech Guy
  • 27,194
  • 23
  • 111
  • 159
1

Have you seen this?

http://forums.asp.net/t/1440824.aspx

Along similar lines to what Koning has suggested.

griegs
  • 22,624
  • 33
  • 128
  • 205
0

You can not use a session method to keep your users logged in, since browsers delete the session cookies when the browser is closed.

Do what user142019 offered and set the session's IdleTimeout parameter very short, up to 15 min. When the server receives any request from the browser, first check the session if it's alive. if not, try to get the cookie. If the cookie and database value are the same and not expired, assign it to the (new) session and return the response.

You can use onBeforeUnload listener to send a logout request when the user leaves your site. If logged out, delete the cookie and the db record, if not - assign a new hash for the next auto login and refresh that hash again when the user retunes to your website. You can also keep track of IP and the browser and link them to the hash in your db. So, in case if the cookie is used with another browser or IP, and the hash code is valid, you can force them to login again.

ProPhoto
  • 31
  • 4