Persistent Cookie not working

J

jrhea2006

I want my site to remember users when they come back without requiring
them to login again (assuming they checked "remember me" on the login
control).

I've tried increasing the timeouts to 3000000+ but it still requires
users to login if the session times out (roughly 30 minutes or so).

What am I missing? Thanks!

I do have web.configs to protect the "secure" directories:
<system.web>
<authorization>
<allow roles="Administrators" />
<deny roles="Users" />
<deny users="?" />
</authorization>
</system.web>

Here is the relevent site web.config section:

<authentication mode="Forms">
<forms loginUrl="main/Login.aspx" defaultUrl="main/Login.aspx"
cookieless="UseCookies" timeout="5000000" />
</authentication>
<membership defaultProvider="CrossroadsMembershipSqlProvider" >
<providers>
<add name="CrossroadsMembershipSqlProvider"
type="System.Web.Security.SqlMembershipProvider, System.Web,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="LocalSqlServer" enablePasswordRetrieval="false"
enablePasswordReset="true" requiresQuestionAndAnswer="false"
applicationName="Crossroads" requiresUniqueEmail="true"
passwordFormat="Clear" minRequiredPasswordLength="5"
minRequiredNonalphanumericCharacters="0"/>
</providers>
</membership>
<roleManager enabled="true" cacheRolesInCookie="true"
defaultProvider="CrossroadsRoleManagerSqlProvider"
cookieName=".ASPXROLES" cookiePath="/" cookieTimeout="300000000"
cookieRequireSSL="false" cookieSlidingExpiration="true"
createPersistentCookie="true" cookieProtection="All" >
<providers>
<add name="CrossroadsRoleManagerSqlProvider"
type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0,
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="LocalSqlServer" applicationName="Crossroads"/>
</providers>
</roleManager>
 
E

Edwin Knoppert

A discussion i did lately, a session has nearly nothing to do with
authentication.
Especially when used with persistant cookies.
It's likely you made a flaw by making the user depending on some dumb
session variable.
Whenit expires you could follow the global.asax events to track if indeed
the authentication is still valid..

In some cases the session is (imo mis-) used to hold a non-persistant user
(cookieless or similar).
So in that case authentication is depending on the session-id.
 
J

jrhea2006

Thanks Edwin - great value add there.

I posted to the security thread and then in looking through the group
didn't see a lot of traffic so I thought I'd try my hand at the regular
aspnet group.

Is that OK or do I still get 20 lashes with a wet noodle?
 
E

Edwin Knoppert

..or do I still get 20 lashes with a wet noodle?

Hmm, haven't thought about your punishment yet, but i expect i can have some
lashes myself so now and then :D

:)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Wrong applicationName returned by Membership.Provider.ApplicationN 1
Single Sign On Not Working 1
Custom memebrship provider problem 2
Built-in controls with custom providers 1
How to configure the SMPTMAIL service 0
problem with web.config when using roles 2
IIS forms authentication & Login controls 0
WebSite Admin Tool settings Q 0

Members online

No members online now.
Total: 24 (members: 0, guests: 24)
Robots: 302

Forum statistics

Threads
473,755
Messages
2,569,536
Members
45,007
Latest member
obedient dusk

Latest Threads

Top