Programatically Logging in a User

Discussion in 'ASP .Net' started by Jonathan Wood, Oct 20, 2009.

  1. I'm writing code to log in a user without using the standard Login control.

    The following code seems to do the trick.

    if (Membership.ValidateUser(txtUserName.Text, txtPassword.Text))
    FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, true);

    But I don't get why.

    Membership.ValidateUser() tells me if the credentials are valid but appears
    not to actually log the user in.

    FormsAuthentication.RedirectFromLoginPage() appears that it DOES log the
    user in. But the docs don't seem to say anything about that:

    "The RedirectFromLoginPage method redirects to the URL specified in the
    query string using the ReturnURL variable name. For example, in the URL
    http://www.contoso.com/login.aspx?ReturnUrl=caller.aspx, the
    RedirectFromLoginPage method redirects tothe return URL caller.aspx. If the
    ReturnURL variable does not exist, the RedirectFromLoginPage method
    redirects to the URL in the DefaultUrl property."

    My question is: Does anyone know if this is the "preferred" way to log in a
    user without using the Login control. And if RedirectFromLoginPage logs a
    user in, does anyone know why this wasn't documented?

    Thanks.

    --
    Jonathan Wood
    SoftCircuits Programming
    http://www.softcircuits.com
     
    Jonathan Wood, Oct 20, 2009
    #1
    1. Advertising

  2. "Jonathan Wood" <> wrote in news:eBJuQkTUKHA.4780
    @TK2MSFTNGP05.phx.gbl:

    > FormsAuthentication.RedirectFromLoginPage() appears that it DOES log the
    > user in. But the docs don't seem to say anything about that:



    It does not directly, but look at the signature:

    public static void RedirectFromLoginPage(
    string userName,
    bool createPersistentCookie,
    string strCookiePath
    )

    The only reason to create a cookie is to track the user, so this does log
    the user in at this time. I am not sure this is the best design, but since
    you are in control of the code, you can determine whom to redirect and whom
    not to.

    Peace and Grace,


    --
    Gregory A. Beamer
    MVP; MCP: +I, SE, SD, DBA

    Twitter: @gbworld
    Blog: http://gregorybeamer.spaces.live.com

    *******************************************
    | Think outside the box! |
    *******************************************
     
    Gregory A. Beamer, Oct 20, 2009
    #2
    1. Advertising

  3. "Gregory A. Beamer" <> wrote:

    It still seems like the docs would mention that the user is logged in, as
    that is the end result.

    BTW, I noticed that the createPersistentCookie flag appears to mean logging
    back in is not required for, maybe, 20 minutes. Does anyone know how to
    increase this amount of time?

    >> FormsAuthentication.RedirectFromLoginPage() appears that it DOES log the
    >> user in. But the docs don't seem to say anything about that:

    >
    > It does not directly, but look at the signature:
    >
    > public static void RedirectFromLoginPage(
    > string userName,
    > bool createPersistentCookie,
    > string strCookiePath
    > )
    >
    > The only reason to create a cookie is to track the user, so this does log
    > the user in at this time. I am not sure this is the best design, but since
    > you are in control of the code, you can determine whom to redirect and
    > whom
    > not to.
    >
    > Peace and Grace,
    >
    >
    > --
    > Gregory A. Beamer
    > MVP; MCP: +I, SE, SD, DBA
    >
    > Twitter: @gbworld
    > Blog: http://gregorybeamer.spaces.live.com
    >
    > *******************************************
    > | Think outside the box! |
    > *******************************************



    --
    Jonathan Wood
    SoftCircuits Programming
    http://www.softcircuits.com
     
    Jonathan Wood, Oct 20, 2009
    #3
  4. On Oct 20, 5:54 am, "Jonathan Wood" <> wrote:
    > I'm writing code to log in a user without using the standard Login control.
    >
    > The following code seems to do the trick.
    >
    > if (Membership.ValidateUser(txtUserName.Text, txtPassword.Text))
    >     FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, true);
    >
    > But I don't get why.
    >
    > Membership.ValidateUser() tells me if the credentials are valid but appears
    > not to actually log the user in.


    It looks like the description on MSDN site is not correct. They said
    "Membership.ValidateUser: Verifies that the supplied user name and
    password are valid.", while I think they need to mention that this is
    also "Authenticates a user using supplied credentials." like this
    stays here: http://msdn.microsoft.com/en-us/magazine/cc163703.aspx
     
    Alexey Smirnov, Oct 21, 2009
    #4
  5. "Alexey Smirnov" <> wrote:

    >> I'm writing code to log in a user without using the standard Login
    >> control.
    >>
    >> The following code seems to do the trick.
    >>
    >> if (Membership.ValidateUser(txtUserName.Text, txtPassword.Text))
    >> FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, true);

    >
    > It looks like the description on MSDN site is not correct. They said
    > "Membership.ValidateUser: Verifies that the supplied user name and
    > password are valid.", while I think they need to mention that this is
    > also "Authenticates a user using supplied credentials." like this
    > stays here: http://msdn.microsoft.com/en-us/magazine/cc163703.aspx


    Based on my tests, Membership.ValidateUser does not authenticate. It only
    tells you if the login is valid. So I think the MSDN documentation is
    correct there. However, I think the MSDN documentation for
    FormsAuthentication.RedirectFromLoginPage is incomplete.

    The article you linked looks interesting though. I'll check that out.

    Thanks.

    Jonathan
     
    Jonathan Wood, Oct 22, 2009
    #5
  6. "Jonathan Wood" <> wrote in
    news::

    > It still seems like the docs would mention that the user is logged in,
    > as that is the end result.
    >
    > BTW, I noticed that the createPersistentCookie flag appears to mean
    > logging back in is not required for, maybe, 20 minutes. Does anyone
    > know how to increase this amount of time?


    The main difference between cookies is this:

    false = session cookie - deleted when browser is closed
    true = persistent cookie - stays despite browser close

    The persistent cookie is set to 30 minutes, by default, but can be extended
    by the cookieTimeout attribute of the roleManager tag in web.config. This
    can be a sliding amount of minutes, as set by the cookieSlidingExpiration
    (true|False) in roleManager. The default for sliding is true, so it is
    normal the user gets X minutes after his last hit and not just x minutes.

    Peace and Grace,


    --
    Gregory A. Beamer
    MVP; MCP: +I, SE, SD, DBA

    Twitter: @gbworld
    Blog: http://gregorybeamer.spaces.live.com

    *******************************************
    | Think outside the box! |
    *******************************************
     
    Gregory A. Beamer, Oct 22, 2009
    #6
  7. "Gregory A. Beamer" <> wrote:

    > The main difference between cookies is this:
    >
    > false = session cookie - deleted when browser is closed
    > true = persistent cookie - stays despite browser close
    >
    > The persistent cookie is set to 30 minutes, by default, but can be
    > extended
    > by the cookieTimeout attribute of the roleManager tag in web.config. This
    > can be a sliding amount of minutes, as set by the cookieSlidingExpiration
    > (true|False) in roleManager. The default for sliding is true, so it is
    > normal the user gets X minutes after his last hit and not just x minutes.


    Right. But for more relaxed security requirements, I'd like to implement a
    *real* remember me checkbox along the lines of sites like Facebook where
    users don't have to log in for many days or even months. (The "remember me"
    option used by the Login control seems rather pointless.)

    I'll check out the cookieTimeout attribute; however, it sounds like that's
    in minutes, which may not sufficiently address what I'm trying to do here.
    I'm just wondering if the ASP.NET membership can support a real remember me
    option, or if I just need to implement it myself.

    Thanks.

    Jonathan
     
    Jonathan Wood, Oct 22, 2009
    #7
  8. "Jonathan Wood" <> wrote in
    news::

    > Right. But for more relaxed security requirements, I'd like to
    > implement a *real* remember me checkbox along the lines of sites like
    > Facebook where users don't have to log in for many days or even
    > months. (The "remember me" option used by the Login control seems
    > rather pointless.)


    Store your own cookie and log them in using the same mechanism if the
    cookie is present. That is essentially what other sites do for "remember
    me". If you don't think so, then delete all cookies and go back to one of
    those sites.

    Peace and Grace,


    --
    Gregory A. Beamer
    MVP; MCP: +I, SE, SD, DBA

    Twitter: @gbworld
    Blog: http://gregorybeamer.spaces.live.com

    *******************************************
    | Think outside the box! |
    *******************************************
     
    Gregory A. Beamer, Oct 22, 2009
    #8
  9. I believe you. I was just trying to figure out if ASP.NET membership
    included this functionality (being how they included it partially via the
    "remember me" check box). If not (and it appears they don't) I'll need my
    own cookie as you suggest.

    Thanks.

    "Gregory A. Beamer" <> wrote in message
    news:Xns9CAC873499F56gbworld@207.46.248.16...
    > "Jonathan Wood" <> wrote in
    > news::
    >
    >> Right. But for more relaxed security requirements, I'd like to
    >> implement a *real* remember me checkbox along the lines of sites like
    >> Facebook where users don't have to log in for many days or even
    >> months. (The "remember me" option used by the Login control seems
    >> rather pointless.)

    >
    > Store your own cookie and log them in using the same mechanism if the
    > cookie is present. That is essentially what other sites do for "remember
    > me". If you don't think so, then delete all cookies and go back to one of
    > those sites.
    >
    > Peace and Grace,
    >
    >
    > --
    > Gregory A. Beamer
    > MVP; MCP: +I, SE, SD, DBA
    >
    > Twitter: @gbworld
    > Blog: http://gregorybeamer.spaces.live.com
    >
    > *******************************************
    > | Think outside the box! |
    > *******************************************



    --
    Jonathan Wood
    SoftCircuits Programming
    http://www.softcircuits.com
     
    Jonathan Wood, Oct 23, 2009
    #9
  10. "Jonathan Wood" <> wrote in
    news:#:

    > I believe you. I was just trying to figure out if ASP.NET membership
    > included this functionality (being how they included it partially via
    > the "remember me" check box). If not (and it appears they don't) I'll
    > need my own cookie as you suggest.


    At one time, I thought that was the purpose too. And, you could make the
    cookie last for a ridiculous number of minutes and have it serve that
    purpose, if you needed to. But if you need a "forever" type of cookie, then
    code your own.

    Peace and Grace,

    --
    Gregory A. Beamer
    MVP; MCP: +I, SE, SD, DBA

    Twitter: @gbworld
    Blog: http://gregorybeamer.spaces.live.com

    *******************************************
    | Think outside the box! |
    *******************************************
     
    Gregory A. Beamer, Oct 23, 2009
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Stefan Siegl
    Replies:
    0
    Views:
    985
    Stefan Siegl
    Aug 27, 2003
  2. janne
    Replies:
    0
    Views:
    9,615
    janne
    Sep 10, 2004
  3. Christoph Haas
    Replies:
    0
    Views:
    481
    Christoph Haas
    Jun 12, 2006
  4. Christoph Haas
    Replies:
    1
    Views:
    485
    Vinay Sajip
    Jun 14, 2006
  5. johnny
    Replies:
    1
    Views:
    673
    Dennis Lee Bieber
    Dec 12, 2006
Loading...

Share This Page