How do I Keep a user logged in for 2 weeks?

HI

I am using asp.net mvc with asp.net membership.

I want to have a checkbox that if clicked keeps the users signed in for 2 weeks(unless they clear their cookies).

So I know their is

FormsAuthentication.SetAuthCookie(userName, createPersistentCookie)

but I don’t know how to set it up for 2week retention.

I rewrote most of the membership stuff. So I don’t use stuff like Create() and VerifyUser().

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

Add a hash key or a random string to both the cookie and the database (both the same key). If the cookie and database value are the same, when the user starts a new session, sign him/her in again. When the user reaches the two weeks, remove the secret key from the database using a cronjob (Unix) or scheduled task (Windows).

Warning: Do not rely on the cookie expire date, since people can hack their browser.
Rule: NEVER, EVER trust ANY of your users!

Method 2

You can set the global session timeout (the value is in minutes) in web.config eg.

<system.web>
    <authentication mode="Forms">
          <forms timeout="20160"/>
    </authentication>
</system.web>

This will be for all authenticated users. If you want to use the ‘Remember Me’ functionality then you will need to write your own code to set the cookie/ticket. Something like this (taken from here):
protected void Page_Load()
{
    if (Request.Cookies["username"] == null || Request.Cookies["username"].Value.ToString().Trim() == "")
    {
        Login1.RememberMeSet = true; 
    }
    else
    {
        Login1.UserName = Request.Cookies["username"].Value.ToString().Trim();
        Login1.RememberMeSet = true; 
    }
}
protected void RememberUserLogin()
{
    // Check the remember option for login

    if (Login1.RememberMeSet == true)
    {
        HttpCookie cookie = new HttpCookie("username");
        cookie.Value = Login1.UserName.Trim(); 
        cookie.Expires = DateTime.Now.AddHours(2);

        HttpContext.Current.Response.AppendCookie(cookie);
        Login1.RememberMeSet = true; 

    }
    else if (Login1.RememberMeSet == false)
    {
        HttpContext.Current.Response.Cookies.Remove("username");
        Response.Cookies["username"].Expires = DateTime.Now;
        Login1.RememberMeSet = false; 
    }

}

Method 3

Just use a simple cookie with 2 weeks expiration date.

Method 4

Have you seen this?

http://forums.asp.net/t/1440824.aspx

Along similar lines to what Koning has suggested.

Method 5

You can not use a session method to keep your users logged in, since browsers delete the session cookies when the browser is closed.

Do what user142019 offered and set the session’s IdleTimeout parameter very short, up to 15 min. When the server receives any request from the browser, first check the session if it’s alive. if not, try to get the cookie. If the cookie and database value are the same and not expired, assign it to the (new) session and return the response.

You can use onBeforeUnload listener to send a logout request when the user leaves your site. If logged out, delete the cookie and the db record, if not – assign a new hash for the next auto login and refresh that hash again when the user retunes to your website. You can also keep track of IP and the browser and link them to the hash in your db.
So, in case if the cookie is used with another browser or IP, and the hash code is valid, you can force them to login again.


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x