Introduction
There are 2 timeout values in the web.config file that are important for making the "Remember Me" functionality.
The first one is the FormsAuthentication.Timeout. This timeout is used to set expiration timestamp of the .ASPXAUTH cookie.
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>
The second one is the HttpSessionState.Timeout. This timeout is kept in the session manager or SQL table depending on which mode is configured.
<configuration>
<system.web>
<sessionState
mode="InProc"
cookieless="true"
timeout="30" />
</system.web>
</configuration>
When a user visits the login page for the very first time, ASP.NET creates the ASP.NET_SessionId cookie.
If a cookie has expiration timestamp "Session", that cookie is stored only in the memory of the browser as described on MSDN about Writing Cookies.
If you do not set the cookie's expiration, the cookie is created but it is not stored on the user's hard disk. Instead, the cookie is maintained as part of the user's session information. When the user closes the browser or if the session times out, the cookie is discarded. A non-persistent cookie like this is handy for information that needs to be stored for only a short time or that for security reasons should not be written to disk on the client computer. For example, non-persistent cookies are useful if the user is working on a public computer, where you do not want to write the cookie to disk.
The ASP.NET_SessionId cookie is used by ASP.NET to map subsequent HTTP requests to the same HttpContext.Session object on the server side. Indeed, this cookie is discarded and re-created for every HTTP request in Cookieless Sessions mode.
When the cookieless attribute setting is false, the session-state module actually creates a cookie named ASP.NET_SessionId and stores the session ID in it...
A session cookie is given a very short expiration term and is renewed at the end of each successful request.
However, I could not confirm that this behavior still holds. In other words, the exact same cookie is re-used for every HTTP requests. A much more important point is that developers have no access to this cookie from C#. This means the "Remember Me" button on login page goes to another cookie.
And that is the .ASPXAUTH cookie.
When "Remember Me" option is selected, the .ASPXAUTH cookie will have an expiration timestamp explicitly set.
If a user selects "Remember Me" option, then leave the system for an extended period of time. When he or she gets back to the system, the .ASPXAUTH cookie will NOT resume a previous session. Instead, a new session is created as if the user has put in the correct username and password again.
The "Remember Me" functionality provided by Microsoft will not be adaquate if the application needs to do more than matching username and password. For example: a multi tenant application needs the user to identify the client, database or table to log in. In this case, the application has to put extra information into the .ASPXAUTH cookie.
If you need to put extra information into this cookie, you need to take the following steps:
- When you serve the login page, try to read the the
.ASPXAUTH cookie. If the extra information could be read from the cookie, you can redirect the user away from login page to home page or other pages. - When the user submits login information, you need to put the extra information into the
FormsAuthenticationTicket. See how to Add Custom Info to Authentication Cookies.
The login flow:
--------------------------------------------------------------------------------
Additional works are published on my blog http://believeblog.azurewebsites.net/.
