Login/Register
Remember me functionality in ASP.NET Form Authentication doesn't work
Asked Answered
c#forms-authenticationremember-me
A

5

9

I'm using ASP.NET forms authentication for logging users into a website we're developing.

Part of the functionality is a "Remember me" checkbox which remembers the user for a month if they check it.

The code for logging the user in is as follows:

public static void Login(HttpResponse response, string username,
  bool rememberMeChecked)
{
  FormsAuthentication.Initialize();
  FormsAuthenticationTicket tkt = new FormsAuthenticationTicket(1, username, DateTime.Now,
    DateTime.Now.AddMinutes(30), rememberMeChecked,
    FormsAuthentication.FormsCookiePath);
  HttpCookie ck = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(tkt));
  ck.Path = FormsAuthentication.FormsCookiePath;

  if (rememberMe)
    ck.Expires = DateTime.Now.AddMonths(1);

  response.Cookies.Add(ck);
}

The relevant section in the web.config is this:

<authentication mode="Forms">
  <forms loginUrl="Home.aspx" defaultUrl="~/" slidingExpiration="true" timeout="43200" />
</authentication>

This logs the user fine but logs them out after half an hour if they don't use the site, although its persistence property (rememberMeChecked) is set to true and if it is true, the cookie is set to expire after a month. Is there something I'm missing here?

Thanks in advance, F

Aspergillus answered 31/1, 2011 at 13:1 Comment(1)
I'm not sure if this would make a difference in this instance at all, however, what's wrong with using FormsAuthentication.RedirectFromLoginPage(userName, rememberMe)? Is there a requirement to manually create the ticket? If you specify the timeout in the config then you don't need to hand-craft it in code, AFAIK. Also, where is rememberMe being set?Caducity
T
9

It looks like your authentication ticket is still configured to expire after half an hour, even if the cookie itself expires in 30 days. You probably have to extend the ticket's lifetime too:

public static void Login(HttpResponse response, string username,
    bool rememberMeChecked)
{
    DateTime expiration = DateTime.Now.AddMinutes(30);
    if (rememberMe) {
        expiration = DateTime.Now.AddMonths(1);
    }

    FormsAuthentication.Initialize();
    FormsAuthenticationTicket tkt = new FormsAuthenticationTicket(1, username,
        DateTime.Now, expiration, rememberMeChecked,
        FormsAuthentication.FormsCookiePath);

    HttpCookie ck = new HttpCookie(FormsAuthentication.FormsCookieName,
        FormsAuthentication.Encrypt(tkt));
    ck.Path = FormsAuthentication.FormsCookiePath;
    response.Cookies.Add(ck);
}
Tolbert answered 31/1, 2011 at 13:25 Comment(1)
You can include ck.Expires = expiration; as well.Baudoin
Z
1

Try setting the Name attribute of the forms tag in your web.config

Also, Firecookie is awesome at debugging these sorts of issues

Just reading through your code again, you've also specified DateTime.Now.AddMinutes(30) in your ticket constructor...have to check whether that effects it

Zebulun answered 31/1, 2011 at 13:21 Comment(1)
The name link is broken.Dispose
A
0

It looks to me that you're checking "rememberMe" rather than the variable you passed called "rememberMeChecked".

Abraxas answered 31/1, 2011 at 13:21 Comment(0)
B
0

You have specified DateTime.Now.AddMinutes(30) in the constructor for FormsAuthenticationTicket. This is what is setting the expiry for the login.

Biracial answered 31/1, 2011 at 13:22 Comment(0)
A
0

I realised that the authentication ticket had to be renewed, not only read. My Application_BeginRequest method looks like this now:

 if (!Request.IsAuthenticated)
  {
    HttpCookie ck = Request.Cookies[FormsAuthentication.FormsCookieName];

    if (ck != null)
    {
      FormsAuthenticationTicket oldTicket = FormsAuthentication.Decrypt(ck.Value);
      UserManagementUtils.RenewFormsAuthenticationTicket(Response, oldTicket);
    }
  }

That seems to have taken care of it.

Aspergillus answered 31/1, 2011 at 15:7 Comment(1)
This should be taken care of by the framework. I think the problem as mentioned in the answer above is that you did not set the ticket's expiry just the cookie.Subacid

© 2022 - 2024 — McMap. All rights reserved.