4

I am using "Remember Me" in my Forms Authentication for my ASP.NET webapp. If I login with valid credentials and select "Remember Me", i can log in and everything is fine. Now if i close the window, open SQL server and change password and then try to open the webapp, it bypasses login process and uses my old cached credentials from "Remember Me" and allows me to log in.

Is that normal behavior? If so, the only thing I can think of is removing "Remember Me" option or using a very short expiration time.

Any suggestions?

Improve this question
4
  • 1
    This post discusses this at length. Commented Jan 30, 2013 at 19:22
  • 1
    Yeah, you should remove that. Users will get really confused when they connect directly to your database via SSMS and change their password and can still log in. :) Commented Jan 30, 2013 at 19:22
  • clear your cookies after you close the window. Commented Jan 30, 2013 at 19:24
  • clearing cookie will work on my computer, but it will still effect other people who use the webapp. Commented Jan 30, 2013 at 20:07

1 Answer 1

Reset to default
1

This is normal. The reason is that in order to remember a user, some form of key needs to be stored on the client machine allowing the login process to be bypassed. Assuming that you are using ASP.NET's integrated membership functionality, you essentially have a unique token stored in the cookie which identifies the user. This has nothing to do with the password, for various good reasons. What this means is that the automatic login is password-independent, so changing it shouldn't logically affect this feature.

If security is a concern you can indeed look at shortening the time span in which the remembering remains valid. Or as you mentioned you can simply eschew this feature altogether if it poses too much of a risk. Password remembering is a common feature implemented on the vast majority of websites, and provided that you are using ASP.NET's integrated membership functionality, your security risks are minimised, but in the end you need to examine your particular case and determine whether this feature makes sense for you.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.