Click here to Skip to main content
Click here to Skip to main content

Remember Me

, 29 May 2014 GPL3
Rate this:
Please Sign up or sign in to vote.
Deep dive into cookies generation to support Remember Me at login

Introduction

There are 2 timeout values in the web.config file that are important for making the "Remember Me" functionality.

The first one is the FormsAuthentication.Timeout. This timeout is used to set expiration timestamp of the .ASPXAUTH cookie.

<authentication mode="Forms">
  <forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>

The second one is the HttpSessionState.Timeout. This timeout is kept in the session manager or SQL table depending on which mode is configured.

 <configuration>
  <system.web>
    <sessionState 
      mode="InProc"
      cookieless="true"
      timeout="30" />
  </system.web>
</configuration> 

When a user visits the login page for the very first time, ASP.NET creates the ASP.NET_SessionId cookie.

If a cookie has expiration timestamp "Session", that cookie is stored only in the memory of the browser as described on MSDN about Writing Cookies.

If you do not set the cookie's expiration, the cookie is created but it is not stored on the user's hard disk. Instead, the cookie is maintained as part of the user's session information. When the user closes the browser or if the session times out, the cookie is discarded. A non-persistent cookie like this is handy for information that needs to be stored for only a short time or that for security reasons should not be written to disk on the client computer. For example, non-persistent cookies are useful if the user is working on a public computer, where you do not want to write the cookie to disk.

The ASP.NET_SessionId cookie is used by ASP.NET to map subsequent HTTP requests to the same HttpContext.Session object on the server side. Indeed, this cookie is discarded and re-created for every HTTP request in Cookieless Sessions mode.

When the cookieless attribute setting is false, the session-state module actually creates a cookie named ASP.NET_SessionId and stores the session ID in it...
A session cookie is given a very short expiration term and is renewed at the end of each successful request.

However, I could not confirm that this behavior still holds. In other words, the exact same cookie is re-used for every HTTP requests. A much more important point is that developers have no access to this cookie from C#. This means the "Remember Me" button on login page goes to another cookie.

And that is the .ASPXAUTH cookie.

When "Remember Me" option is selected, the .ASPXAUTH cookie will have an expiration timestamp explicitly set.

If a user selects "Remember Me" option, then leave the system for an extended period of time. When he or she gets back to the system, the .ASPXAUTH cookie will NOT resume a previous session. Instead, a new session is created as if the user has put in the correct username and password again.

The "Remember Me" functionality provided by Microsoft will not be adaquate if the application needs to do more than matching username and password. For example: a multi tenant application needs the user to identify the client, database or table to log in. In this case, the application has to put extra information into the .ASPXAUTH cookie.

If you need to put extra information into this cookie, you need to take the following steps:

  1. When you serve the login page, try to read the the .ASPXAUTH cookie. If the extra information could be read from the cookie, you can redirect the user away from login page to home page or other pages.
  2. When the user submits login information, you need to put the extra information into the FormsAuthenticationTicket. See how to Add Custom Info to Authentication Cookies.

The login flow:

--------------------------------------------------------------------------------
Additional works are published on my blog http://believeblog.azurewebsites.net/.

License

This article, along with any associated source code and files, is licensed under The GNU General Public License (GPLv3)

Share

About the Author

Thang Believe

United States United States
http://believeblog.azurewebsites.net/

Comments and Discussions

 
SuggestionNot an article PinmemberShahriar Hossain30-May-14 20:04 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web04 | 2.8.141223.1 | Last Updated 30 May 2014
Article Copyright 2014 by Thang Believe
Everything else Copyright © CodeProject, 1999-2014
Layout: fixed | fluid