login control persistent cookie problem

Discussion in 'ASP .Net' started by GaryDean, Jul 8, 2007.

  1. GaryDean

    GaryDean Guest

    I'm using the 2.0 login control with the "remember me" setting. When
    checked the cookie only last for a few hours then it is asking again for a
    login. I don't see any time settings. I know back when we did our own
    authentication we specified
    FormsAuthentication.RedirectFromLoginPage(tbEmail.Text, True) and the cookie
    lasted forever.

    --
    Regards,
    Gary Blakely
     
    GaryDean, Jul 8, 2007
    #1
    1. Advertising

  2. > I'm using the 2.0 login control with the "remember me" setting. When
    > checked the cookie only last for a few hours then it is asking again for a
    > login. I don't see any time settings. I know back when we did our own
    > authentication we specified
    > FormsAuthentication.RedirectFromLoginPage(tbEmail.Text, True) and the
    > cookie lasted forever.


    Well, it's similar way here.
    However, even if it's 'RememberMe', it's not forever!

    IIRC, it's a 3-step process in the Login control:

    1. FormsAuthentication.SetAuthCookie(username, isRememberMeSelected)
    In this, the timeout is set to DateTime.Now + TimeSpan.Parse(<forms
    timeout="...">)
    2. Raise the event LoggedIn
    3. Response.Redirect(<redirect-from-login-page-url>)

    In step1, the cookie is set with sliding-expiration (default) with the
    timeout of 30 mins (default).


    --
    Happy Hacking,
    Gaurav Vaish | www.mastergaurav.com
    www.edujini-labs.com
    http://eduzine.edujini-labs.com
    -----------------------------------------
     
    MasterGaurav \(www.edujini-labs.com\), Jul 9, 2007
    #2
    1. Advertising

  3. Hi Gary,

    From your description, you found that the "Login" control's "remember me"
    setting doesn't work as expected(make the authentiation cookie
    persisted),correct?

    Based on my understanding, the Login Control's "RememberMe" property play
    the same role as the second boolean parameter of the
    FormsAuthentications.Authenticate(Or RedirectFromLoginPage) method. Here is
    the diassembled code of the LoginControl from reflector:

    ========================
    private void AttemptLogin()
    {
    if ((this.Page == null) || this.Page.IsValid)
    {
    LoginCancelEventArgs e = new LoginCancelEventArgs();
    this.OnLoggingIn(e);
    if (!e.Cancel)
    {
    AuthenticateEventArgs args2 = new AuthenticateEventArgs();
    this.OnAuthenticate(args2);
    if (args2.Authenticated)
    {
    FormsAuthentication.SetAuthCookie(this.UserNameInternal,
    this.RememberMeSet);
    this.OnLoggedIn(EventArgs.Empty);
    this.Page.Response.Redirect(this.GetRedirectUrl(), false);
    }
    else
    {
    this.OnLoginError(EventArgs.Empty);
    if (this.FailureAction ==
    LoginFailureAction.RedirectToLoginPage)
    {

    FormsAuthentication.RedirectToLoginPage("loginfailure=1");
    }
    ITextControl failureTextLabel = (ITextControl)
    this.TemplateContainer.FailureTextLabel;
    if (failureTextLabel != null)
    {
    failureTextLabel.Text = this.FailureText;
    }
    }
    }
    }
    }
    ==========================

    Also, for the authenticaiton ticket(cookie)'s timeout, as far as I know,
    the only configuration option is in the web.config file's
    <authentication>/<forms>/@timeout attribute. This controls the cookie's
    timeout (when you use persistent cookie).

    =============
    <authentication mode="Windows">
    <forms
    ...............
    timeout="30"
    .................>
    ........
    </forms>
    <passport redirectUrl="internal" />
    </authentication>
    ==================

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead



    ==================================================

    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    ications.



    Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    where an initial response from the community or a Microsoft Support
    Engineer within 1 business day is acceptable. Please note that each follow
    up response may take approximately 2 business days as the support
    professional working with you may need further investigation to reach the
    most efficient resolution. The offering is not appropriate for situations
    that require urgent, real-time or phone-based interactions or complex
    project analysis and dump analysis issues. Issues of this nature are best
    handled working with a dedicated Microsoft Support Engineer by contacting
    Microsoft Customer Support Services (CSS) at
    http://msdn.microsoft.com/subscriptions/support/default.aspx.

    ==================================================


    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Steven Cheng[MSFT], Jul 9, 2007
    #3
  4. GaryDean

    GaryDean Guest

    maybe we are miscommunicating...

    I have several asp.net 1.1 apps that simply say:
    FormsAuthentication.RedirectFromLoginPage(tbEmail.Text,
    cbRememberMe.Checked)
    and the cookie lasts forever. There is no timout setting in the web.config.
    Iv'e doing this for years.

    Persistent cookies are commonplace everywhere. My (any probably your)
    amazon.com cookies last forever.

    Maybe something has changed with the LoginControl.

    --
    Regards,
    Gary Blakely
    Dean Blakely & Associates
    www.deanblakely.com
    "Steven Cheng[MSFT]" <> wrote in message
    news:...
    > Hi Gary,
    >
    > From your description, you found that the "Login" control's "remember me"
    > setting doesn't work as expected(make the authentiation cookie
    > persisted),correct?
    >
    > Based on my understanding, the Login Control's "RememberMe" property play
    > the same role as the second boolean parameter of the
    > FormsAuthentications.Authenticate(Or RedirectFromLoginPage) method. Here
    > is
    > the diassembled code of the LoginControl from reflector:
    >
    > ========================
    > private void AttemptLogin()
    > {
    > if ((this.Page == null) || this.Page.IsValid)
    > {
    > LoginCancelEventArgs e = new LoginCancelEventArgs();
    > this.OnLoggingIn(e);
    > if (!e.Cancel)
    > {
    > AuthenticateEventArgs args2 = new AuthenticateEventArgs();
    > this.OnAuthenticate(args2);
    > if (args2.Authenticated)
    > {
    > FormsAuthentication.SetAuthCookie(this.UserNameInternal,
    > this.RememberMeSet);
    > this.OnLoggedIn(EventArgs.Empty);
    > this.Page.Response.Redirect(this.GetRedirectUrl(), false);
    > }
    > else
    > {
    > this.OnLoginError(EventArgs.Empty);
    > if (this.FailureAction ==
    > LoginFailureAction.RedirectToLoginPage)
    > {
    >
    > FormsAuthentication.RedirectToLoginPage("loginfailure=1");
    > }
    > ITextControl failureTextLabel = (ITextControl)
    > this.TemplateContainer.FailureTextLabel;
    > if (failureTextLabel != null)
    > {
    > failureTextLabel.Text = this.FailureText;
    > }
    > }
    > }
    > }
    > }
    > ==========================
    >
    > Also, for the authenticaiton ticket(cookie)'s timeout, as far as I know,
    > the only configuration option is in the web.config file's
    > <authentication>/<forms>/@timeout attribute. This controls the cookie's
    > timeout (when you use persistent cookie).
    >
    > =============
    > <authentication mode="Windows">
    > <forms
    > ...............
    > timeout="30"
    > .................>
    > ........
    > </forms>
    > <passport redirectUrl="internal" />
    > </authentication>
    > ==================
    >
    > Sincerely,
    >
    > Steven Cheng
    >
    > Microsoft MSDN Online Support Lead
    >
    >
    >
    > ==================================================
    >
    > Get notification to my posts through email? Please refer to
    > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    > ications.
    >
    >
    >
    > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    > where an initial response from the community or a Microsoft Support
    > Engineer within 1 business day is acceptable. Please note that each follow
    > up response may take approximately 2 business days as the support
    > professional working with you may need further investigation to reach the
    > most efficient resolution. The offering is not appropriate for situations
    > that require urgent, real-time or phone-based interactions or complex
    > project analysis and dump analysis issues. Issues of this nature are best
    > handled working with a dedicated Microsoft Support Engineer by contacting
    > Microsoft Customer Support Services (CSS) at
    > http://msdn.microsoft.com/subscriptions/support/default.aspx.
    >
    > ==================================================
    >
    >
    > This posting is provided "AS IS" with no warranties, and confers no
    > rights.
    >
     
    GaryDean, Jul 11, 2007
    #4
  5. Thanks for your reply Gary,

    Sorry that I haven't expected that you're using ASP.NET 1.1. Yes, the forms
    authentication's ticket timeout does vary from 1.1 to 2.0. Actually the
    change is mainly focus on persistent authentication cookie. In ASP.NET
    1.x, the "timeout" setting in <forms> tag only affect non-persistent
    authentication ticket, and in ASP.NET 2.0, this timeout setting affect both
    persistent and non-persistent cookie. Here is a blog article (by scottgu)
    which also explain this:

    #Forms Authentication timeout default in ASP.NET 2.0
    http://weblogs.asp.net/scottgu/archive/2005/11/08/430011.aspx

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Steven Cheng[MSFT], Jul 13, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Marco Rispoli

    Non-persistent cookie

    Marco Rispoli, May 6, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    592
    clintonG
    May 8, 2004
  2. Kepler
    Replies:
    0
    Views:
    793
    Kepler
    Oct 27, 2004
  3. Replies:
    4
    Views:
    1,079
    Kevin Frey
    Oct 24, 2005
  4. gk
    Replies:
    7
    Views:
    979
    Tom Anderson
    Oct 12, 2010
  5. sanchita

    Persistent Cookie Problem

    sanchita, Mar 23, 2007, in forum: ASP .Net Security
    Replies:
    0
    Views:
    178
    sanchita
    Mar 23, 2007
Loading...

Share This Page