Friday, March 16, 2012

Persistent Cookie not working

I want my site to remember users when they come back without requiring
them to login again (assuming they checked "remember me" on the login
control).

I've tried increasing the timeouts to 3000000+ but it still requires
users to login if the session times out (roughly 30 minutes or so).

What am I missing? Thanks!

I do have web.configs to protect the "secure" directories:
<system.web>
<authorization>
<allow roles="Administrators" />
<deny roles="Users" />
<deny users="?" />
</authorization>
</system.web
Here is the relevent site web.config section:

<authentication mode="Forms">
<forms loginUrl="main/Login.aspx" defaultUrl="main/Login.aspx"
cookieless="UseCookies" timeout="5000000" />
</authentication>
<membership defaultProvider="CrossroadsMembershipSqlProvider" >
<providers>
<add name="CrossroadsMembershipSqlProvider"
type="System.Web.Security.SqlMembershipProvider, System.Web,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="LocalSqlServer" enablePasswordRetrieval="false"
enablePasswordReset="true" requiresQuestionAndAnswer="false"
applicationName="Crossroads" requiresUniqueEmail="true"
passwordFormat="Clear" minRequiredPasswordLength="5"
minRequiredNonalphanumericCharacters="0"/>
</providers>
</membership>
<roleManager enabled="true" cacheRolesInCookie="true"
defaultProvider="CrossroadsRoleManagerSqlProvider"
cookieName=".ASPXROLES" cookiePath="/" cookieTimeout="300000000"
cookieRequireSSL="false" cookieSlidingExpiration="true"
createPersistentCookie="true" cookieProtection="All" >
<providers>
<add name="CrossroadsRoleManagerSqlProvider"
type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0,
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="LocalSqlServer" applicationName="Crossroads"/>
</providers>
</roleManagerA discussion i did lately, a session has nearly nothing to do with
authentication.
Especially when used with persistant cookies.
It's likely you made a flaw by making the user depending on some dumb
session variable.
Whenit expires you could follow the global.asax events to track if indeed
the authentication is still valid..

In some cases the session is (imo mis-) used to hold a non-persistant user
(cookieless or similar).
So in that case authentication is depending on the session-id.

<jrhea2006@.kellogg.northwestern.edu> schreef in bericht
news:1140218394.253371.152540@.o13g2000cwo.googlegr oups.com...
>I want my site to remember users when they come back without requiring
> them to login again (assuming they checked "remember me" on the login
> control).
> I've tried increasing the timeouts to 3000000+ but it still requires
> users to login if the session times out (roughly 30 minutes or so).
> What am I missing? Thanks!
> I do have web.configs to protect the "secure" directories:
> <system.web>
> <authorization>
> <allow roles="Administrators" />
> <deny roles="Users" />
> <deny users="?" />
> </authorization>
> </system.web>
> Here is the relevent site web.config section:
> <authentication mode="Forms">
> <forms loginUrl="main/Login.aspx" defaultUrl="main/Login.aspx"
> cookieless="UseCookies" timeout="5000000" />
> </authentication>
> <membership defaultProvider="CrossroadsMembershipSqlProvider" >
> <providers>
> <add name="CrossroadsMembershipSqlProvider"
> type="System.Web.Security.SqlMembershipProvider, System.Web,
> Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
> connectionStringName="LocalSqlServer" enablePasswordRetrieval="false"
> enablePasswordReset="true" requiresQuestionAndAnswer="false"
> applicationName="Crossroads" requiresUniqueEmail="true"
> passwordFormat="Clear" minRequiredPasswordLength="5"
> minRequiredNonalphanumericCharacters="0"/>
> </providers>
> </membership>
> <roleManager enabled="true" cacheRolesInCookie="true"
> defaultProvider="CrossroadsRoleManagerSqlProvider"
> cookieName=".ASPXROLES" cookiePath="/" cookieTimeout="300000000"
> cookieRequireSSL="false" cookieSlidingExpiration="true"
> createPersistentCookie="true" cookieProtection="All" >
> <providers>
> <add name="CrossroadsRoleManagerSqlProvider"
> type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0,
> Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
> connectionStringName="LocalSqlServer" applicationName="Crossroads"/>
> </providers>
> </roleManager
HOW annoying, MULTIPOST with all the news group resolve errors i get!

<jrhea2006@.kellogg.northwestern.edu> schreef in bericht
news:1140218394.253371.152540@.o13g2000cwo.googlegr oups.com...
>I want my site to remember users when they come back without requiring
> them to login again (assuming they checked "remember me" on the login
> control).
> I've tried increasing the timeouts to 3000000+ but it still requires
> users to login if the session times out (roughly 30 minutes or so).
> What am I missing? Thanks!
> I do have web.configs to protect the "secure" directories:
> <system.web>
> <authorization>
> <allow roles="Administrators" />
> <deny roles="Users" />
> <deny users="?" />
> </authorization>
> </system.web>
> Here is the relevent site web.config section:
> <authentication mode="Forms">
> <forms loginUrl="main/Login.aspx" defaultUrl="main/Login.aspx"
> cookieless="UseCookies" timeout="5000000" />
> </authentication>
> <membership defaultProvider="CrossroadsMembershipSqlProvider" >
> <providers>
> <add name="CrossroadsMembershipSqlProvider"
> type="System.Web.Security.SqlMembershipProvider, System.Web,
> Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
> connectionStringName="LocalSqlServer" enablePasswordRetrieval="false"
> enablePasswordReset="true" requiresQuestionAndAnswer="false"
> applicationName="Crossroads" requiresUniqueEmail="true"
> passwordFormat="Clear" minRequiredPasswordLength="5"
> minRequiredNonalphanumericCharacters="0"/>
> </providers>
> </membership>
> <roleManager enabled="true" cacheRolesInCookie="true"
> defaultProvider="CrossroadsRoleManagerSqlProvider"
> cookieName=".ASPXROLES" cookiePath="/" cookieTimeout="300000000"
> cookieRequireSSL="false" cookieSlidingExpiration="true"
> createPersistentCookie="true" cookieProtection="All" >
> <providers>
> <add name="CrossroadsRoleManagerSqlProvider"
> type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0,
> Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
> connectionStringName="LocalSqlServer" applicationName="Crossroads"/>
> </providers>
> </roleManager
Thanks Edwin - great value add there.

I posted to the security thread and then in looking through the group
didn't see a lot of traffic so I thought I'd try my hand at the regular
aspnet group.

Is that OK or do I still get 20 lashes with a wet noodle?
>..or do I still get 20 lashes with a wet noodle?

Hmm, haven't thought about your punishment yet, but i expect i can have some
lashes myself so now and then :D

:)

<jrhea2006@.kellogg.northwestern.edu> schreef in bericht
news:1140272892.935793.9000@.z14g2000cwz.googlegrou ps.com...
> Thanks Edwin - great value add there.
> I posted to the security thread and then in looking through the group
> didn't see a lot of traffic so I thought I'd try my hand at the regular
> aspnet group.
> Is that OK or do I still get 20 lashes with a wet noodle?
Oops again!
That makes 40 lashes !

<jrhea2006@.kellogg.northwestern.edu> schreef in bericht
news:1140272892.935793.9000@.z14g2000cwz.googlegrou ps.com...
> Thanks Edwin - great value add there.
> I posted to the security thread and then in looking through the group
> didn't see a lot of traffic so I thought I'd try my hand at the regular
> aspnet group.
> Is that OK or do I still get 20 lashes with a wet noodle?

Posted by gouachemqwp at 5:45 AM
Labels: , , , , , , , , , ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)