Chap 15: Cookies / "Remember Me" Login

sw02 · August 11th, 2009, 02:38 PM

Imar's textbook references using the following code in web.config (Chap 15) to enable the "Remember Me" on the Login control via a cookie.

<authentication mode="Forms">
<forms timeout="1440" />
</authentication>

Per the textbook, I have a <LoggedInTemplate> and an <AnonymousTemplate> . I have lowered my browser's privacy settings to "accept all cookies". Yet, when I log in with a checkmark on the "remember me" box, logout, close the browser, view in browser again, it shows the anonymous template for me to log in again, instead of "You are already logged in." with the login posting in the page's footer. Any ideas on what piece I'm missing?

Patrick
Texas

Imar · August 11th, 2009, 04:23 PM

>> Yet, when I log in with a checkmark on the "remember me" box, logout, close the browser, view in browser again, it shows the anonymous template for me to log in again

Notice the "logout" here. Remember Me only remembers you when you stay logged in....

Imar

sw02 · August 12th, 2009, 10:49 AM

Thanks Imar. I'm not sure I follow though. From my perspective, "Remember Me Next Time" implies that one that one has logged off. (Perhaps bad reasoning on my part!) Also, I found this on a blog:

The ASP.NET 2.0 Login control comes with an embedded piece of UI known as the "Remember me next time" checkbox. By checking this checkbox when they login, a user can choose to have their authentication ticket persisted so that they do not have to login every time they visit the site. By default this ticket will be remembered for a duration of 30 minutes before the user is again asked to login.

As a user I find it a little annoying when I've asked a site to remember me that I have to login each time. You can tweak the amount of time that the authentication cookie is persisted for by playing with the timeout and expiration policy settings of the forms element in web.config.

This piece also implies distinct visits to the site. However, it appears you are correct in that my way isn't working! Is the sequence below how it is working:

1) Login as usual.
2) Let's say you go to lunch for one hour AND don't log off.
3) Session variable times out at 30 minutes, but your "Remember Me Next Time" cookie is set for two hours.
4) Come back from lunch, and you can start using the application without a login.

What does the application look like? Is it a normal login view in the footer (per textbook)? If you click on Login menu will it will show you that you are still logged in (i.e., "You are already logged in")?

Again, I would expect that if you went to lunch, you would log off. When you come back, it would find the cookie and immediately let you use the application.

Thanks and I'm sorry if I'm beating this to death...

Patrick

Imar · August 12th, 2009, 11:18 AM

You theory is correct, except for the "log out" part.

When you set "Remember Me" you get a persistent cookie that survives browser sessions. So, when you close your browser, go to lunch and then come back, you can enter the site without reauthentication.

When you click the Logout link, the cookie is deleted. It's as if you're saying "Stop remembering me".

So if you want to stay logged in when you are out for lunch, don't log out but simply close your browser. Then it will remember you....

In summary: "Remember Me Next Time" implies that you're logged in automatically next time you visit the site if you don't log out explicitly. If you click Logout, you're saying "Forget me"....

Hope this helps,

Imar