Login Mechanism

Jul 23, 2012 at 10:54 AM

Hi guys, I was curios how the login system works and looked at the code. As far as I can understand, "Remember me" when set to false basically makes the cookie session-bound.

 

Doesn't this mean that the cookie should no longer work when I close and open the browser? It still does on mine.

 

Thanks!

Coordinator
Jul 23, 2012 at 3:12 PM

Cookie is not bound to session in any way, it is based on timeout set for forms authentication in the web.config. Restarting browser does not clear cookies, you need specifically delete them (slightly different process for each browser).

Jul 23, 2012 at 5:04 PM
rtur wrote:

Cookie is not bound to session in any way, it is based on timeout set for forms authentication in the web.config. Restarting browser does not clear cookies, you need specifically delete them (slightly different process for each browser).

Not sure what you mean, but i think FormsAuthentication can be made to be bound to a session. As in when you close the browser and open it again the cookie is no longer valid. I looked at the code at thats the only thing the "remember me" checkbox changes. It makes the ticket persistent or not.

Coordinator
Jul 23, 2012 at 5:29 PM

Misunderstood your question, I thought you asking for how long login should be valid when "remember me" checked. Yes, if not checked it should be only valid for duration of the session (code below). Not sure why it doesn't for you, to me if I close browser without ticking "remember" box it is gone and I have to log in again.

// setting a custom cookie name based on the current blog instance.
// if !rememberMe, set expires to DateTime.MinValue which makes the
// cookie a browser-session cookie expiring when the browser is closed.
HttpCookie cookie = new HttpCookie(FormsAuthCookieName, encryptedTicket);
cookie.Expires = rememberMe ? expirationDate : DateTime.MinValue;
cookie.HttpOnly = true;
context.Response.Cookies.Set(cookie);

Jul 24, 2012 at 7:52 AM

I think I figured out why. When I close firefox I always leave some tabs open, so next time it starts it restores the session. I think this also keeps the same session ID so the cookie keeps working. It works fine on IE.

 

I may change the code so "remember me" simply increases/decreases the cookie duration. I never really like this session stuff.