Click here to Skip to main content
15,881,424 members
Search within:


how to implement remember me in Login screen of MVC 4 application
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
C#
.NET
MVC
Hi,
I have written the following code, I do not know what is the best way to get the user name and password retrieved the next time the user logs in.
Below is the action i call when user submits the user id and password:

SQL
[ValidateAntiForgeryToken]
        [HttpPost]
        [AllowAnonymous]
        public ActionResult Login(Login loginUser,string ReturnUrl = "")
        {
            ViewBag.loginErrorMsg = string.Empty;
            #region Style 1
            if (ModelState.IsValid)
            {
                if (loginUser.Username != null && IsAuthenticated(loginUser))
                {
                    var authTicket = new FormsAuthenticationTicket(
                                                  1,
                                                  loginUser.Username,  //user id
                                                  DateTime.Now,
                                                  DateTime.Now.AddMinutes(20),  // expiry
                                                  loginUser.RemeberMe,  //true to remember
                                                  "", //roles 
                                                  "/"
                                                );

                    //encrypt the ticket and add it to a cookie
                    HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(authTicket));
                    Response.Cookies.Add(cookie);
                    FormsAuthentication.RedirectFromLoginPage(loginUser.Username, false);
                }
                else
                {
                    ViewBag.loginErrorMsg = Constants.LoginErrMsg;
                }
            }
            #endregion

            ModelState.Remove("Password");
            return View();
        }


Although i tried various ways to retrieve the password they did not help.
The code at the Login view action is simple as of now:

SQL
[AllowAnonymous]
      public ActionResult Login()
      {
          return View("Login");
      }



I am not getting the password in the action Login(). Please let me know how can i retrieve the saved password in case the user checked in remember me in his previous login.
[^]
Posted
Updated 6-Oct-15 1:32am
v2
Add a Solution
Comments
John C Rayan 6-Oct-15 7:43am    
Are you sure about this code? IsAuthenticated(loginUser).
Shouldn't be !IsAuthenticated(loginUser)
tewari.nivedita@gmail.com 6-Oct-15 9:32am    
IsAuthenticated is good. Cookie is created only when user is a valid user only.
therefore if (loginUser.Username != null && IsAuthenticated(loginUser))
IsAuthenticated(loginUser) - true for valid users
Sinisa Hajnal 6-Oct-15 7:54am    
Is cookie created?
Does it contain the ticket?
Can you read the cookie on next login?
Is the ticket still valid?
tewari.nivedita@gmail.com 6-Oct-15 9:33am    
Cookie is created and encrypted also. I can't read the cookie at next login. I don't think the ticket is valid till next login.

1 solution

If you're going to manually create the authentication cookie, then you need to make sure it's set to "HTTP only". This ensures that the cookie cannot be stolen via a Cross-Site Scripting vulnerability.

If you want the user to be remembered, then simply increase the duration of the authentication ticket:
C#
DateTime utcNow = DateTime.UtcNow;

DateTime utcExpires = loginUser.RemeberMe 
    ? utcNow.AddDays(5) 
    : utcNow.AddMinutes(20);

var authTicket = new FormsAuthenticationTicket(
    2,
    loginUser.Username,
    utcNow,
    utcExpires,
    loginUser.RemeberMe,
    string.Empty,
    "/"
);

HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(authTicket));
cookie.HttpOnly = true;

if (loginUser.RemeberMe)
{
    cookie.Expires = authTicket.Expiration;
}

Response.Cookies.Add(cookie);

Attempting to "remember" the user's password is an extremely bad idea, and will lead to serious security vulnerabilities in your application.

How to build (and how not to build) a secure "remember me" feature | Troy Hunt[^]
 
Share this answer
 
Posted
Comments
tewari.nivedita@gmail.com 6-Oct-15 9:57am    
Thanks Richard, i don't want to built it in this way in case it is a threat. Please could you suggest me a better way in which i can give the remember me option in a secure way to my MVC application?
Richard Deeming 6-Oct-15 10:02am    
Yes - read this[^].

Then read this[^].

What you are asking for is going to be a much bigger security vulnerability than extending the duration of the authentication ticket, however you implement it.
tewari.nivedita@gmail.com 7-Oct-15 4:45am    
hi Richard, I tried the above but i was not able to keep the cookie session after Logout. Anyways i am not going to use remember me feature so not really an issue.
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
How to implement login mechanism in mvc?
Does anyone know how to implement remember me in ASP.NET MVC in a login view?
How to implement remember me fucntionality in Windows application
Implement LDAP in ASP.net (C#) MVC
Implement Own Login Process with MVC 3
implementing 'remember password' concept without using login control in aasp.net
login screen creation
Remember me option in Login Page
How to implement i remember password
How do i implement facebook login from my website in mvc c# .net?

Advertise
Privacy
Cookies
Terms of Use
Last Updated 6 Oct 2015
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web03 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900