1

I need to secure the pages of an e-commerce website using forms authentication and there's a client requirement that in the login form there would be the "Remember Me" check box that when clicked will keep the user logged in for a month, else he'll have to login each time he visits the site. How can I do this with forms authentication?

Also I am confused about the parameter "createPersistentCookie" of the methods "RedirectFromLoginPage" or "SetAuthCookie", if set to true, it will create a persistent cookie. Persistent for how long?

Thanks

Improve this question

2 Answers 2

Reset to default
1

You specify the timeout of the cookie in the web.config:

<forms 
   name="name" 
   loginUrl="URL" 
   defaultUrl="URL"
   protection="[All|None|Encryption|Validation]"
   timeout="[MM]"
   path="path"
   requireSSL="[true|false]"
   slidingExpiration="[true|false]">
   enableCrossAppRedirects="[true|false]"
   cookieless="[UseUri|UseCookies|AutoDetect|UseDeviceProfile]" 
   domain="domain name"
   ticketCompatibilityMode="[Framework20|Framework40]">
   <credentials>...</credentials>
</forms>

http://msdn.microsoft.com/en-us/library/1d3t3c61.aspx

http://weblogs.asp.net/scottgu/archive/2005/11/08/430011.aspx

If you just want to set the cookie (Authenticate the user) and do your own redirect use the SetAuthCookie with the "true" parameter.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

I still don't understand how would I differentiate between the user who checks "Remember Me" so that he'll be kept logged in for 1 month and the user who won't check "Remember Me". If I changed the timeout value in the webconfig to 43200 i.e 30 days it will apply for both users.
If you pass the parameter as "false" the cookie will be a SessionCookie so when the user closes the browser it will be gone.
I found this post forums.asp.net/t/1010241.aspx, what I understood from it, is that it's not possible to differentiate between persistent and non persistent cookies using forms authentication and setting the timeout for a large value affects performance. Is this true or I got it wrong?
I just tested adding "5000" and using firebug it shows as a Session Cookie (as expected), meaning after you close your browser it will go away (it might persist if you close the tab and use another tab)
I wouldn't think so... Cookies are client things so they won't affect server side performance. The problem will be mostly the Session Timeout (that affects performance). As for security, cookies can be "hijacked" (if I copy your cookies to my PC I can impersonate you). That's something you have to be aware of. Example: eweek.com/c/a/Security/…
0

Instead of relying on SetAuthCookie or RedirectFromLogin page you can create the FormsAuthenticationTicket and the cookie explicitly. Here you have control over the timeout of cookie as well as ticket.

FormsAuthenticationTicket Class

Also check this.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.