Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Tom Engan 430 posts 1173 karma points
    Dec 28, 2017 @ 13:22
    Tom Engan
    0

    Members "remember me"-checkbox: Authorization cookie and expiration

    Anyone who has a solution for a good "remember me" feature ("Husk meg" in this picture) in the member section in Umbraco, for example a year or always logged in?

    Does the feature need to be programmed, or are there just any simple web.config settings (or something similar) who has to be done?

    enter image description here

  • Tom Engan 430 posts 1173 karma points
    Jan 01, 2018 @ 16:05
    Tom Engan
    0

    When I log in, in my surfacecontroller:

    if (Members.Login(model.Username, model.Password))
    {
        SetCookie(model.Username, model.RememberMe);
        return Redirect("/member-site");
    }
    

    And my method:

    private void SetCookie(string userName, bool createPersistentCookie)
    {
        int timeout = createPersistentCookie ? 525600 : 120; // Timeout in minutes, 525600 = 365 days.
        FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(userName, createPersistentCookie, timeout);
        string encrypted = FormsAuthentication.Encrypt(ticket);
        HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encrypted);
        cookie.Expires = System.DateTime.Now.AddMinutes(timeout);
    
        Response.Cookies.Add(cookie);
        FormsAuthentication.SetAuthCookie(userName, createPersistentCookie);
    }
    

    I will not be logged in for a year as planned - the cookie isn't persistent. Someone who sees the reason for the error?

  • Tom Engan 430 posts 1173 karma points
    Jan 04, 2018 @ 13:37
    Tom Engan
    0

    I have added domain in web.config, and it worked:

    <authentication mode="Forms">
      <forms name="myMemberAuthCookie" loginUrl="logg-inn" domain="mydomain.no" protection="All" path="/" />
    </authentication>    
    

    My method (createPersistentCookie is true/false from my "remember me" checkbox):

    int timeout = createPersistentCookie ? 525600 : 120; // Timeout in minutes, 525600 = 365 days.
    FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
            userName,
            DateTime.Now,
            DateTime.Now.AddMinutes(timeout),
            createPersistentCookie,
            string.Empty,
            FormsAuthentication.FormsCookiePath);
    
    string encrypted = FormsAuthentication.Encrypt(ticket);
    HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encrypted); //FormsAuthentication.FormsCookieName: cookie.Name = "myMemberAuthCookie";
    Response.Cookies.Add(cookie);
    FormsAuthentication.SetAuthCookie(userName, createPersistentCookie, FormsAuthentication.FormsCookiePath);
    

    But now I wonder how I can quit the cookie immediately upon logout. This isn't enough - cookie expiration is still active:

    // clear authentication cookie
    if (Request.Cookies[FormsAuthentication.FormsCookieName] != null)
        Response.Cookies[FormsAuthentication.FormsCookieName].Expires = DateTime.Now.AddDays(-30);
    
    Session.Abandon();
    FormsAuthentication.SignOut();
    Members.Logout();
    

    Are there errors in the code, or are there other settings I should set?

  • Tom Engan 430 posts 1173 karma points
    Jan 05, 2018 @ 14:28
    Tom Engan
    0

    I can delete the cookie (when I log out)

    HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encrypted);
    

    if I change the name from FormsAuthentication.FormsCookieName to Username

    HttpCookie cookie = new HttpCookie(Username encrypted);
    

    but then the timer expire in the cookie don't work at all, so how can I delete the cookie with the name FormsAuthentication.FormsCookieName instead of Username?

    Should I use Javascript to delete the cookie?

  • Dan Diplo 1490 posts 5809 karma points MVP 4x c-trib
    Jan 05, 2018 @ 14:36
    Dan Diplo
    2

    In web.config you can set the timeout property for forms authentication, which configures how long the cookie is set for eg. for 30 days

    <authentication mode="Forms">
      <!-- the timout period is how long (in minutes) the persistent cookie is set when "remember me" is checked (43200 mins = 30 days) -->
      <forms name="yourAuthCookie" loginUrl="/login/" protection="All" path="/" timeout="43200" />
    </authentication>
    
  • Tom Engan 430 posts 1173 karma points
    Jan 05, 2018 @ 14:41
    Tom Engan
    0

    Thanks, but I want two different times, for example one hour if member not have checked "Remember me" and 30 days if the member have checked "Remember me", and immediately logged out with a logout button, so in this case, web.config isn't enough?

  • Dan Diplo 1490 posts 5809 karma points MVP 4x c-trib
    Jan 05, 2018 @ 14:56
    Dan Diplo
    0

    Yes, it should be.

    The timeout value is for the time set in the persistent cookie only for people who have ticked "remember me".

    People who don't tick that will get a temporary session cookie. The timeout of that is governed by the sessionState timeout parameter in web.config eg. for 20 mins.

    <sessionState timeout="20"></sessionState>
    
  • Tom Engan 430 posts 1173 karma points
    Jan 05, 2018 @ 15:01
    Tom Engan
    0

    I've been thinking about that too, so I'll try a little, but I think I'll still have a challenge if a member presses "remember me" and after logged in press the button to eliminate the cookie immediately. Until now, User.Identity.IsAuthenticated has always been true, even after

    Session.Abandon ();
    FormsAuthentication.SignOut ();
    Members.Logout ();
    

    I'll keep trying, but I will still receive tips if you know this issue..

  • Tom Engan 430 posts 1173 karma points
    Jan 05, 2018 @ 15:16
    Tom Engan
    0

    BTW: Whats the difference between

    <sessionState timeout="20"></sessionState>    (sessionState is not in my web.config now)
    

    and

    <membership defaultProvider="UmbracoMembershipProvider" userIsOnlineTimeWindow="15">  ?
    
  • Dan Diplo 1490 posts 5809 karma points MVP 4x c-trib
    Jan 05, 2018 @ 16:00
    Dan Diplo
    1

    Session state is how long the session lasts (ie. how long an idle user who doesn't refresh his browser is logged in for).

    userIsOnlineTimeWindow is used by providers to determine whether a member is online - it's basically when there last activity was plus a window. How this is determined is up to the provider. It has no bearing on log ins. Its more for calculating stuff like "how many users are currently using the app" etc.

    https://msdn.microsoft.com/en-us/library/system.web.security.membership.userisonlinetimewindow.aspx

  • Tom Engan 430 posts 1173 karma points
    Jan 08, 2018 @ 09:40
    Tom Engan
    105

    The solution:

    The solution was surprisingly simple. I discovered that I don't need to create a new myMemberAuthCookie (named from web.config, original named yourAuthCookie), since it's automatically created when I log in, so goodbye to double myMemberAuthCookie, which was the problem when trying to delete the cookie, and all i had to do when logging in, was this (Fiddler was an invaluable help in this process):

    if (Members.Login(model.Username, model.Password))
    {
        if (!model.RememberMe && Response.Cookies[FormsAuthentication.FormsCookieName] != null)
            Response.Cookies[FormsAuthentication.FormsCookieName].Expires = DateTime.Now.AddMinutes(120);
    
        if (model.RememberMe && Response.Cookies[FormsAuthentication.FormsCookieName] != null)
            Response.Cookies[FormsAuthentication.FormsCookieName].Expires = DateTime.Now.AddMinutes(43200);
    
        return Redirect("/member-site");
    } 
    

    And the only thing I need when I log out, is this:

    Members.Logout();
    return Redirect("/logg-inn");    <= to home or whatever suits you best
    

    And the web.config:

    <authentication mode="Forms">
      <forms name="myMemberAuthCookie" timeout="43200" loginUrl="logg-inn" domain="mydomain.no" protection="All" path="/" />
    </authentication>
    

    So now it works with three options as planned:

    1 - Log in without "remember me" checked: Stay innlogged for 2 hours (myMemberAuthCookie deleted)
    2 - Log in with "remember me" checked: Stay innlogged for 1 month (myMemberAuthCookie deleted)
    3 - Immediately quits and myMemberAuthCookie is deleted when logging out
    

    Please comment on any issues with this method, such as performance.

    This should be a part of Umbraco's documentation, I think.

  • Edgar Rasquin 139 posts 420 karma points
    Feb 08, 2018 @ 13:46
    Edgar Rasquin
    0

    Hi Tom,

    Thanks for the detailed instructions.

    Do I have to create my own model/controller to realize this or could it be implemented in the build in loginModel/UmbLoginController?

    Edgar

  • Tom Engan 430 posts 1173 karma points
    Feb 26, 2018 @ 13:53
    Tom Engan
    2

    Sorry, didn't see this before now.

    You must have some more fields, so I created an extended login model with inheritance like this:

    public class MemberLoginViewModel : Umbraco.Web.Models.LoginModel
    {
        [Display(Name = "Husk meg")]
        public bool RememberMe { get; set; }
    }
    

    I have made my own controller. I don't know about UmbLoginController.

Please Sign in or register to post replies

Write your reply to:

Draft