login control persistent cookie problem

[GaryDean]

I'm using the 2.0 login control with the "remember me" setting. When
checked the cookie only last for a few hours then it is asking again for a
login. I don't see any time settings. I know back when we did our own
authentication we specified
FormsAuthentication.RedirectFromLoginPage(tbEmail.Text, True) and the cookie
lasted forever.

 

[MasterGaurav \(www.edujini-labs.com\)]

I'm using the 2.0 login control with the "remember me" setting. When

checked the cookie only last for a few hours then it is asking again for a
login. I don't see any time settings. I know back when we did our own
authentication we specified
FormsAuthentication.RedirectFromLoginPage(tbEmail.Text, True) and the
cookie lasted forever.

Well, it's similar way here.
However, even if it's 'RememberMe', it's not forever!

IIRC, it's a 3-step process in the Login control:

1. FormsAuthentication.SetAuthCookie(username, isRememberMeSelected)
In this, the timeout is set to DateTime.Now + TimeSpan.Parse(<forms
timeout="...">)
2. Raise the event LoggedIn
3. Response.Redirect(<redirect-from-login-page-url>)

In step1, the cookie is set with sliding-expiration (default) with the
timeout of 30 mins (default).


--
Happy Hacking,
Gaurav Vaish | www.mastergaurav.com
www.edujini-labs.com
http://eduzine.edujini-labs.com
-----------------------------------------

 

[Steven Cheng[MSFT]]

Hi Gary,

From your description, you found that the "Login" control's "remember me"
setting doesn't work as expected(make the authentiation cookie
persisted),correct?

Based on my understanding, the Login Control's "RememberMe" property play
the same role as the second boolean parameter of the
FormsAuthentications.Authenticate(Or RedirectFromLoginPage) method. Here is
the diassembled code of the LoginControl from reflector:

========================
private void AttemptLogin()
{
if ((this.Page == null) || this.Page.IsValid)
{
LoginCancelEventArgs e = new LoginCancelEventArgs();
this.OnLoggingIn(e);
if (!e.Cancel)
{
AuthenticateEventArgs args2 = new AuthenticateEventArgs();
this.OnAuthenticate(args2);
if (args2.Authenticated)
{
FormsAuthentication.SetAuthCookie(this.UserNameInternal,
this.RememberMeSet);
this.OnLoggedIn(EventArgs.Empty);
this.Page.Response.Redirect(this.GetRedirectUrl(), false);
}
else
{
this.OnLoginError(EventArgs.Empty);
if (this.FailureAction ==
LoginFailureAction.RedirectToLoginPage)
{

FormsAuthentication.RedirectToLoginPage("loginfailure=1");
}
ITextControl failureTextLabel = (ITextControl)
this.TemplateContainer.FailureTextLabel;
if (failureTextLabel != null)
{
failureTextLabel.Text = this.FailureText;
}
}
}
}
}
==========================

Also, for the authenticaiton ticket(cookie)'s timeout, as far as I know,
the only configuration option is in the web.config file's
<authentication>/<forms>/@timeout attribute. This controls the cookie's
timeout (when you use persistent cookie).

=============
<authentication mode="Windows">
<forms
...............
timeout="30"
.................>
........
</forms>
<passport redirectUrl="internal" />
</authentication>
==================

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.

 

[GaryDean]

maybe we are miscommunicating...

I have several asp.net 1.1 apps that simply say:
FormsAuthentication.RedirectFromLoginPage(tbEmail.Text,
cbRememberMe.Checked)
and the cookie lasts forever. There is no timout setting in the web.config.
Iv'e doing this for years.

Persistent cookies are commonplace everywhere. My (any probably your)
amazon.com cookies last forever.

Maybe something has changed with the LoginControl.

 

[Steven Cheng[MSFT]]

Thanks for your reply Gary,

Sorry that I haven't expected that you're using ASP.NET 1.1. Yes, the forms
authentication's ticket timeout does vary from 1.1 to 2.0. Actually the
change is mainly focus on persistent authentication cookie. In ASP.NET
1.x, the "timeout" setting in <forms> tag only affect non-persistent
authentication ticket, and in ASP.NET 2.0, this timeout setting affect both
persistent and non-persistent cookie. Here is a blog article (by scottgu)
which also explain this:

#Forms Authentication timeout default in ASP.NET 2.0
http://weblogs.asp.net/scottgu/archive/2005/11/08/430011.aspx

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.