ASP.NET - How to keep the user always logged in?

This functionality is natural extension of "remember me" which is part of Microsoft integrated Login Control. "Remember me" check box allow the user to stay logged in if he leaves the page or closes the browser.
But if you don't make a request for 30 minutes you will be logged out. The aim of "keep me logged in" is to hold the user logged in always until he clicks logout.

First you must change the forms timeout in web.config to be bigger than default value of 30 minutes - something like 300000. This guarantees that forms authentication ticket will live longer. This is enough to hold the user logged in for days.
"Remember me" check box makes the authentication cookie persistent and live even if you close the browser.
Users that are logged in without click checking remmeber me will stay logged in until they click logout or close the browser (authentication cookie is not persistent). If you want to specify a timeout for this user session you can do this:

1. Creating client cookie after logged in with value the session expiration time. Other way is to use Session state initiated by Session_Start(ByVal sender As Object, ByVal e As EventArgs).
You must change the session timeout in web.config to be equal or bigger than desired timeout and smaller than forms timeout.

2. Checking user authentication on every request in global.asax -> Application_PreRequestHandlerExecute(ByVal sender As Object, ByVal e As EventArgs). If user is autheticated and the timeout is expired you have to sign out and redirect to login form.
If the timeout is not expired you have to change the expiration time of the session like slide expiration of forms.
Be careful: Don't make client cookie to expire. This will make it persistent and closing the browser will not log out the user.

No comments:

Post a Comment