Members "remember me"-checkbox: Authorization cookie and expiration
Anyone who has a solution for a good "remember me" feature ("Husk meg" in this picture) in the member section in Umbraco, for example a year or always logged in?
Does the feature need to be programmed, or are there just any simple web.config settings (or something similar) who has to be done?
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encrypted);
if I change the name from FormsAuthentication.FormsCookieName to Username
HttpCookie cookie = new HttpCookie(Username encrypted);
but then the timer expire in the cookie don't work at all, so how can I delete the cookie with the name FormsAuthentication.FormsCookieName instead of Username?
In web.config you can set the timeout property for forms authentication, which configures how long the cookie is set for eg. for 30 days
<authentication mode="Forms">
<!-- the timout period is how long (in minutes) the persistent cookie is set when "remember me" is checked (43200 mins = 30 days) -->
<forms name="yourAuthCookie" loginUrl="/login/" protection="All" path="/" timeout="43200" />
</authentication>
Thanks, but I want two different times, for example one hour if member not have checked "Remember me" and 30 days if the member have checked "Remember me", and immediately logged out with a logout button, so in this case, web.config isn't enough?
The timeout value is for the time set in the persistent cookie only for people who have ticked "remember me".
People who don't tick that will get a temporary session cookie. The timeout of that is governed by the sessionState timeout parameter in web.config eg. for 20 mins.
I've been thinking about that too, so I'll try a little, but I think I'll still have a challenge if a member presses "remember me" and after logged in press the button to eliminate the cookie immediately. Until now, User.Identity.IsAuthenticated has always been true, even after
Session state is how long the session lasts (ie. how long an idle user who doesn't refresh his browser is logged in for).
userIsOnlineTimeWindow is used by providers to determine whether a member is online - it's basically when there last activity was plus a window. How this is determined is up to the provider. It has no bearing on log ins. Its more for calculating stuff like "how many users are currently using the app" etc.
The solution was surprisingly simple. I discovered that I don't need to create a new myMemberAuthCookie (named from web.config, original named yourAuthCookie), since it's automatically created when I log in, so goodbye to double myMemberAuthCookie, which was the problem when trying to delete the cookie, and all i had to do when logging in, was this (Fiddler was an invaluable help in this process):
if (Members.Login(model.Username, model.Password))
{
if (!model.RememberMe && Response.Cookies[FormsAuthentication.FormsCookieName] != null)
Response.Cookies[FormsAuthentication.FormsCookieName].Expires = DateTime.Now.AddMinutes(120);
if (model.RememberMe && Response.Cookies[FormsAuthentication.FormsCookieName] != null)
Response.Cookies[FormsAuthentication.FormsCookieName].Expires = DateTime.Now.AddMinutes(43200);
return Redirect("/member-site");
}
And the only thing I need when I log out, is this:
Members.Logout();
return Redirect("/logg-inn"); <= to home or whatever suits you best
1 - Log in without "remember me" checked: Stay innlogged for 2 hours (myMemberAuthCookie deleted)
2 - Log in with "remember me" checked: Stay innlogged for 1 month (myMemberAuthCookie deleted)
3 - Immediately quits and myMemberAuthCookie is deleted when logging out
Please comment on any issues with this method, such as performance.
This should be a part of Umbraco's documentation, I think.
Members "remember me"-checkbox: Authorization cookie and expiration
Anyone who has a solution for a good "remember me" feature ("Husk meg" in this picture) in the member section in Umbraco, for example a year or always logged in?
Does the feature need to be programmed, or are there just any simple web.config settings (or something similar) who has to be done?
When I log in, in my surfacecontroller:
And my method:
I will not be logged in for a year as planned - the cookie isn't persistent. Someone who sees the reason for the error?
I have added domain in web.config, and it worked:
My method (createPersistentCookie is true/false from my "remember me" checkbox):
But now I wonder how I can quit the cookie immediately upon logout. This isn't enough - cookie expiration is still active:
Are there errors in the code, or are there other settings I should set?
I can delete the cookie (when I log out)
if I change the name from
FormsAuthentication.FormsCookieNametoUsernamebut then the timer expire in the cookie don't work at all, so how can I delete the cookie with the name
FormsAuthentication.FormsCookieNameinstead ofUsername?Should I use Javascript to delete the cookie?
In web.config you can set the timeout property for forms authentication, which configures how long the cookie is set for eg. for 30 days
Thanks, but I want two different times, for example one hour if member not have checked "Remember me" and 30 days if the member have checked "Remember me", and immediately logged out with a logout button, so in this case, web.config isn't enough?
Yes, it should be.
The timeout value is for the time set in the persistent cookie only for people who have ticked "remember me".
People who don't tick that will get a temporary session cookie. The timeout of that is governed by the sessionState timeout parameter in
web.configeg. for 20 mins.I've been thinking about that too, so I'll try a little, but I think I'll still have a challenge if a member presses "remember me" and after logged in press the button to eliminate the cookie immediately. Until now,
User.Identity.IsAuthenticatedhas always been true, even afterI'll keep trying, but I will still receive tips if you know this issue..
BTW: Whats the difference between
and
Session state is how long the session lasts (ie. how long an idle user who doesn't refresh his browser is logged in for).
userIsOnlineTimeWindowis used by providers to determine whether a member is online - it's basically when there last activity was plus a window. How this is determined is up to the provider. It has no bearing on log ins. Its more for calculating stuff like "how many users are currently using the app" etc.https://msdn.microsoft.com/en-us/library/system.web.security.membership.userisonlinetimewindow.aspx
The solution:
The solution was surprisingly simple. I discovered that I don't need to create a new myMemberAuthCookie (named from web.config, original named yourAuthCookie), since it's automatically created when I log in, so goodbye to double myMemberAuthCookie, which was the problem when trying to delete the cookie, and all i had to do when logging in, was this (Fiddler was an invaluable help in this process):
And the only thing I need when I log out, is this:
And the web.config:
So now it works with three options as planned:
Please comment on any issues with this method, such as performance.
This should be a part of Umbraco's documentation, I think.
Hi Tom,
Thanks for the detailed instructions.
Do I have to create my own model/controller to realize this or could it be implemented in the build in loginModel/UmbLoginController?
Edgar
Sorry, didn't see this before now.
You must have some more fields, so I created an extended login model with inheritance like this:
I have made my own controller. I don't know about UmbLoginController.
is working on a reply...