4
Vote

Remember Login doesn't work

description

If you select the "Remember Login" checkbox during the log-on procedure, it doesn't remember...
 
When I close my browser or simply wait about 30 minutes, my session seems to be gone and I have to login again.
 
I'm using:
  • dasBlog version 2.1.8102.813 on Win 2003 R2
  • Internet Explorer 7.0 (with IEPro v2.1)
  • Voidclass theme

comments

timgaunt wrote Feb 2, 2009 at 6:14 PM

I've fixed this on my local copy, you'll need to update LoginBox.ascx.cs line 157 and change it from:

FormsAuthentication.SetAuthCookie(userName, rememberCheckbox.Checked);

to:
        if (rememberCheckbox.Checked)
        {
            FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, userName, DateTime.Now, DateTime.Now.AddYears(50), true, "", FormsAuthentication.FormsCookiePath);
            string ticketEncrypted = FormsAuthentication.Encrypt(ticket);

            HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, ticketEncrypted)
                {
                    HttpOnly = true,
                    Path = FormsAuthentication.FormsCookiePath,
                    Secure = FormsAuthentication.RequireSSL,
                    Expires = ticket.Expiration
                };

            Response.Cookies.Clear();
            Response.Cookies.Add(cookie);
        }
        else
        {
            FormsAuthentication.SetAuthCookie(userName, rememberCheckbox.Checked);
        }

This works around the known "remember me" cookie issues.

Tim

klabran wrote May 22, 2010 at 7:04 PM

This was a change from 1.1 to 2.0 of .Net. MS considered creating a cookie of 50 years to be a security risk. This is what happened for you in 1.1 when selecting the remember me checkbox. In 2.0 the NEW default is to set it to whatever your timeout setting is in the Forms tag in your web.config OR the default of 30 minutes. You can fix this by changing your forms tag timeout value to something large.
<forms name=".DASBLOGAUTH" protection="All" timeout="129600" path="/" cookieless="UseCookies" /> for example with set the cookie to last 3 months. If you check remember me in this setup your cookie will last 3 months.
You can also add sliding expiration to true which will update the cookie to a new 3 month window every time you login...
<forms name=".DASBLOGAUTH" protection="All" timeout="129600" slidingExpiration="true" path="/" cookieless="UseCookies" />

Tim's code will work also but the above scenario according to MS is more secure and you can change this without any code updating & recompiling.

wrote Feb 14, 2013 at 7:39 PM