Persistent Cookie not working

Discussion in 'ASP .Net Security' started by jrhea2006@kellogg.northwestern.edu, Feb 18, 2006.

  1. Guest

    I want my site to remember users when they come back without requiring
    them to login again (assuming they checked "remember me" on the login
    control).

    I've tried increasing the timeouts to 3000000+ but it still requires
    users to login if the session times out (roughly 30 minutes or so).

    What am I missing? Thanks!

    I do have web.configs to protect the "secure" directories:
    <system.web>
    <authorization>
    <allow roles="Administrators" />
    <deny roles="Users" />
    <deny users="?" />
    </authorization>
    </system.web>

    Here is the relevent site web.config section:

    <authentication mode="Forms">
    <forms loginUrl="main/Login.aspx" defaultUrl="main/Login.aspx"
    cookieless="UseCookies" timeout="5000000" />
    </authentication>
    <membership defaultProvider="CrossroadsMembershipSqlProvider" >
    <providers>
    <add name="CrossroadsMembershipSqlProvider"
    type="System.Web.Security.SqlMembershipProvider, System.Web,
    Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
    connectionStringName="LocalSqlServer" enablePasswordRetrieval="false"
    enablePasswordReset="true" requiresQuestionAndAnswer="false"
    applicationName="Crossroads" requiresUniqueEmail="true"
    passwordFormat="Clear" minRequiredPasswordLength="5"
    minRequiredNonalphanumericCharacters="0"/>
    </providers>
    </membership>
    <roleManager enabled="true" cacheRolesInCookie="true"
    defaultProvider="CrossroadsRoleManagerSqlProvider"
    cookieName=".ASPXROLES" cookiePath="/" cookieTimeout="300000000"
    cookieRequireSSL="false" cookieSlidingExpiration="true"
    createPersistentCookie="true" cookieProtection="All" >
    <providers>
    <add name="CrossroadsRoleManagerSqlProvider"
    type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0,
    Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
    connectionStringName="LocalSqlServer" applicationName="Crossroads"/>
    </providers>
    </roleManager>
    , Feb 18, 2006
    #1
    1. Advertising

  2. A discussion i did lately, a session has nearly nothing to do with
    authentication.
    Especially when used with persistant cookies.
    It's likely you made a flaw by making the user depending on some dumb
    session variable.
    Whenit expires you could follow the global.asax events to track if indeed
    the authentication is still valid..

    In some cases the session is (imo mis-) used to hold a non-persistant user
    (cookieless or similar).
    So in that case authentication is depending on the session-id.


    <> schreef in bericht
    news:...
    >I want my site to remember users when they come back without requiring
    > them to login again (assuming they checked "remember me" on the login
    > control).
    >
    > I've tried increasing the timeouts to 3000000+ but it still requires
    > users to login if the session times out (roughly 30 minutes or so).
    >
    > What am I missing? Thanks!
    >
    > I do have web.configs to protect the "secure" directories:
    > <system.web>
    > <authorization>
    > <allow roles="Administrators" />
    > <deny roles="Users" />
    > <deny users="?" />
    > </authorization>
    > </system.web>
    >
    > Here is the relevent site web.config section:
    >
    > <authentication mode="Forms">
    > <forms loginUrl="main/Login.aspx" defaultUrl="main/Login.aspx"
    > cookieless="UseCookies" timeout="5000000" />
    > </authentication>
    > <membership defaultProvider="CrossroadsMembershipSqlProvider" >
    > <providers>
    > <add name="CrossroadsMembershipSqlProvider"
    > type="System.Web.Security.SqlMembershipProvider, System.Web,
    > Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
    > connectionStringName="LocalSqlServer" enablePasswordRetrieval="false"
    > enablePasswordReset="true" requiresQuestionAndAnswer="false"
    > applicationName="Crossroads" requiresUniqueEmail="true"
    > passwordFormat="Clear" minRequiredPasswordLength="5"
    > minRequiredNonalphanumericCharacters="0"/>
    > </providers>
    > </membership>
    > <roleManager enabled="true" cacheRolesInCookie="true"
    > defaultProvider="CrossroadsRoleManagerSqlProvider"
    > cookieName=".ASPXROLES" cookiePath="/" cookieTimeout="300000000"
    > cookieRequireSSL="false" cookieSlidingExpiration="true"
    > createPersistentCookie="true" cookieProtection="All" >
    > <providers>
    > <add name="CrossroadsRoleManagerSqlProvider"
    > type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0,
    > Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
    > connectionStringName="LocalSqlServer" applicationName="Crossroads"/>
    > </providers>
    > </roleManager>
    >
    Edwin Knoppert, Feb 18, 2006
    #2
    1. Advertising

  3. HOW annoying, MULTIPOST with all the news group resolve errors i get!


    <> schreef in bericht
    news:...
    >I want my site to remember users when they come back without requiring
    > them to login again (assuming they checked "remember me" on the login
    > control).
    >
    > I've tried increasing the timeouts to 3000000+ but it still requires
    > users to login if the session times out (roughly 30 minutes or so).
    >
    > What am I missing? Thanks!
    >
    > I do have web.configs to protect the "secure" directories:
    > <system.web>
    > <authorization>
    > <allow roles="Administrators" />
    > <deny roles="Users" />
    > <deny users="?" />
    > </authorization>
    > </system.web>
    >
    > Here is the relevent site web.config section:
    >
    > <authentication mode="Forms">
    > <forms loginUrl="main/Login.aspx" defaultUrl="main/Login.aspx"
    > cookieless="UseCookies" timeout="5000000" />
    > </authentication>
    > <membership defaultProvider="CrossroadsMembershipSqlProvider" >
    > <providers>
    > <add name="CrossroadsMembershipSqlProvider"
    > type="System.Web.Security.SqlMembershipProvider, System.Web,
    > Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
    > connectionStringName="LocalSqlServer" enablePasswordRetrieval="false"
    > enablePasswordReset="true" requiresQuestionAndAnswer="false"
    > applicationName="Crossroads" requiresUniqueEmail="true"
    > passwordFormat="Clear" minRequiredPasswordLength="5"
    > minRequiredNonalphanumericCharacters="0"/>
    > </providers>
    > </membership>
    > <roleManager enabled="true" cacheRolesInCookie="true"
    > defaultProvider="CrossroadsRoleManagerSqlProvider"
    > cookieName=".ASPXROLES" cookiePath="/" cookieTimeout="300000000"
    > cookieRequireSSL="false" cookieSlidingExpiration="true"
    > createPersistentCookie="true" cookieProtection="All" >
    > <providers>
    > <add name="CrossroadsRoleManagerSqlProvider"
    > type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0,
    > Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
    > connectionStringName="LocalSqlServer" applicationName="Crossroads"/>
    > </providers>
    > </roleManager>
    >
    Edwin Knoppert, Feb 18, 2006
    #3
  4. Guest

    Thanks Edwin - great value add there.

    I posted to the security thread and then in looking through the group
    didn't see a lot of traffic so I thought I'd try my hand at the regular
    aspnet group.

    Is that OK or do I still get 20 lashes with a wet noodle?
    , Feb 18, 2006
    #4
  5. >..or do I still get 20 lashes with a wet noodle?

    Hmm, haven't thought about your punishment yet, but i expect i can have some
    lashes myself so now and then :D

    :)



    <> schreef in bericht
    news:...
    > Thanks Edwin - great value add there.
    >
    > I posted to the security thread and then in looking through the group
    > didn't see a lot of traffic so I thought I'd try my hand at the regular
    > aspnet group.
    >
    > Is that OK or do I still get 20 lashes with a wet noodle?
    >
    Edwin Knoppert, Feb 18, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Marco Rispoli

    Non-persistent cookie

    Marco Rispoli, May 6, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    583
    clintonG
    May 8, 2004
  2. Replies:
    5
    Views:
    650
    Edwin Knoppert
    Feb 18, 2006
  3. rh.krish
    Replies:
    0
    Views:
    727
    rh.krish
    Apr 9, 2008
  4. Replies:
    3
    Views:
    795
    Matthijs Krempel
    Apr 10, 2008
  5. gk
    Replies:
    7
    Views:
    955
    Tom Anderson
    Oct 12, 2010
Loading...

Share This Page