1

I'm trying to implement a 'remember me' functionality on my website to allow the users to remain logged in without having to login again.

I do something like this:

System.Web.Security.FormsAuthentication.SetAuthCookie(userName, true);

I've noticed that the 2nd parameter (createPersistentcookie) is not really persistent as it depends on the timeout value set in the config file.

From what I understand:

if createPersistentcookie=false then the user will automatically be logged out if s/he closes the browser or after x minutes of activity (x being specified in the config file).

if createPersistentcookie=true then the user will NOT be logged out if s/he closes the browser but will still be logged out after x minutes of activity (x being specified in the config file).

Note that in both cases 'x' has the same value and comes from the config file.

What I would like to do is:

-if the visitor doesn't want to stay logged in all the time I would like him to be automatically logged out after 20mn of inactivity of if he closes the browser. To do this I would set createPersistentcookie to false and the timeout value to 20mn.

-if the visitor DOES want to stay logged in all the time I would like him to be automatically logged out only after 7 days of inactivity. Closing the browser won't log him out. To do this I would set createPersistentcookie to true and the timeout value to 7 days.

You see the problem: in one case the timeout is set to 20mn and in the other case the timeout is set to 7 days but in the config file I can only specify 1 value.

Any suggestions?

Improve this question

3 Answers 3

Reset to default
1

The title and first part of the question is in conflict with what you ultimately state as your goal.

To address the first part:

You need to construct the ticket yourself and explicitly set the expiration on the COOKIE the same as the timeout and then set the cookie.

This is easier said than done, because MS in it's infinite wisdom does not expose the timeout property of the formsauthentication element. There is a pretty simple workaround.

See the code in this answer to see what is required to create persistent tickets.

In conclusion: You are not doing anything wrong, the createPersistentCookie functionality is broken but can be worked around.

To address your stated goal:

There is really no clean way to do this using FormsAuthentication. Any attempt to do so would result in brittle hacks around a well designed, secure system that is dead simple to implement and leverage. If you attempt this with forms auth you will find yourself chasing ghosts.

good luck.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

You can set expiration time programmicaly. Authentication cookie can be decrypted to FormsAuthenticationTicket using FormsAuthentication.Decrypt(). Then you can re-create the ticket by setting expiration time.

Improve this answer

Comments

0

createPersistentcookie means whether cookie will be destroyed when user closes browser or not. You can specify very long lifetime and persistent cookie for remembering the user

Improve this answer

1 Comment

I understand this but it doesn't answer the question: if you specify a very long lifetime then ALL the users will be affected by this even those who don't want to stay logged in. Imagine someone leaves his browser opened, leaves his desk and come back 4 hours later. He will still be logged in even if createPersistentcookie=false.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.