asp.net FormsAuthentication : how to set multiple timeout values in the config file?_问答_开发者

asp.net FormsAuthentication : how to set multiple timeout values in the config file?

开发者 https://www.devze.com 2022-12-20 13:23 出处：网络

I\'m trying to implement a \'remember me\' functionality on my website to allow the users to remain logged in without having to login again.

相关专题：asp.net

I'm trying to implement a 'remember me' functionality on my website to allow the users to remain logged in without having to login again.

I do something like this:

System.Web.Security.FormsAuthentication.SetAuthCookie(userName, true);

I've noticed that the 2nd parameter (createPersistentcookie) is not really persistent as it depends on the timeout value set in the config file.

From what I understand:

if createPersistentcookie=false then the user will automatically be logged out if s/he closes t开发者_如何学Pythonhe browser or after x minutes of activity (x being specified in the config file).

if createPersistentcookie=true then the user will NOT be logged out if s/he closes the browser but will still be logged out after x minutes of activity (x being specified in the config file).

Note that in both cases 'x' has the same value and comes from the config file.

What I would like to do is:

-if the visitor doesn't want to stay logged in all the time I would like him to be automatically logged out after 20mn of inactivity of if he closes the browser. To do this I would set createPersistentcookie to false and the timeout value to 20mn.

-if the visitor DOES want to stay logged in all the time I would like him to be automatically logged out only after 7 days of inactivity. Closing the browser won't log him out. To do this I would set createPersistentcookie to true and the timeout value to 7 days.

You see the problem: in one case the timeout is set to 20mn and in the other case the timeout is set to 7 days but in the config file I can only specify 1 value.

Any suggestions?

The title and first part of the question is in conflict with what you ultimately state as your goal.

To address the first part:

You need to construct the ticket yourself and explicitly set the expiration on the COOKIE the same as the timeout and then set the cookie.

This is easier said than done, because MS in it's infinite wisdom does not expose the timeout property of the formsauthentication element. There is a pretty simple workaround.

See the code in this answer to see what is required to create persistent tickets.

In conclusion: You are not doing anything wrong, the createPersistentCookie functionality is broken but can be worked around.

To address your stated goal:

There is really no clean way to do this using FormsAuthentication. Any attempt to do so would result in brittle hacks around a well designed, secure system that is dead simple to implement and leverage. If you attempt this with forms auth you will find yourself chasing ghosts.

good luck.

You can set expiration time programmicaly. Authentication cookie can be decrypted to FormsAuthenticationTicket using FormsAuthentication.Decrypt(). Then you can re-create the ticket by setting expiration time.

createPersistentcookie means whether cookie will be destroyed when user closes browser or not. You can specify very long lifetime and persistent cookie for remembering the user