tags:

views:

72

answers:

3
+1  Q: 

Session that never expires like on stackoverflow.com, unless the user clicks logout

I am building a asp.net mvc application. I want session to never expire, once the user login, unless the user clicks on logout.

Whats the best way of doing it?

I have used 

FormsAuthentication.SetAuthCookie(userName, createPersistentCookie);

and set createPersistentCookie to true, but still I get logged out after sometime.

A: 

I'm looking at that too. I already store the user's username/password (hotmail-like, encrypted) in a cookie. So i was thinking to add a field like 'KeepSignedIn' and if it's set to true i bypass the login and make it look like the user stays signed in.

Jeroen  2010-07-16 03:02:23
That's horrible security. Never store the password client side and never bypass a login...
Chris  2010-07-16 03:09:11
Well if you know how to do it why don't you enlighten us with an answer instead of a comment.
Jeroen  2010-07-16 03:14:13
Kinda already did.
Chris  2010-07-16 03:15:19
That's lame. If you're not here to help stop posting these comments all together. Instead of saying what not to do help people in the right direction telling them how you did it or would do it.
Jeroen  2010-07-16 03:19:22
Jeroen, my first comment was intended to steer any readers away from your method because it's insecure. It was not a personal dig @ you, nor am I the one that downvoted you (actually upvoted you after the first downvote). If you're going to post here, expect that sometimes your advice may be challenged and be prepared to defend or accept it, rather than getting all upset about it.
Chris  2010-07-16 03:21:46
That still doesn't help us get to the solution, right, Chris?
Jeroen  2010-07-16 03:25:01
No, Jeroen, that would be why I provided an answer in addition to my comment. Seriously, are you really this sensitive about it?
Chris  2010-07-16 03:25:44
Hotmail is NOT storing user password on the client. Neither should you, unless you are doing one-way encryption of it (in which case you can't use it to login the user anyway). You shouldn't silently signin the user either, unless the user explicitly choose so.
Franci Penov  2010-07-16 03:27:06
@Franci Penov: Ok i don't know how they do it. But i don't silenty sign in my users, that was just a thought on how to keep them signed in. I will read up on the FormsAuthentication.
Jeroen  2010-07-16 03:42:24
+1  A: 

FormsAuthentication cookies use the timeout value to determine expiration. The createPersistentCookie flag just tells the API to set an expires value, rather than allowing the cookie to expire when the browser is closed. To prevent expiration, increase the forms authentication timeout value in the web.config. That value is in minutes, so to force the cookie to last one year, use 525600.

Chris  2010-07-16 03:13:23
Well, that will take a lot of memory on the server. Is there any alternative?
San  2010-07-16 03:18:34
Huh? What will take a lot of memory? It's a single int value.
Chris  2010-07-16 03:20:29
that is not going totake any memory on the server. cookie expiration is done through a imestamp on the client.
Franci Penov  2010-07-16 03:23:04
Ok then increasing forms authentication timeout value, should be fare enough. Which one is better sliding expiration or the above one, or it doesnt matter?
San  2010-07-16 03:28:02
I'd go with Franci's sliding expiration suggestion. It's slightly more secure and desirable than a 1 year cookie, IMO
Chris  2010-07-16 03:29:01
however, leaving the cookie there for a year is not a good idea. you want to be a bit mote aggressive with expiring inactive user sessions, especially if any of the user information might be sensitive.
Franci Penov  2010-07-16 03:29:42
Right. 1 week is probably long enough. If the site is heavily used, 2-3 days might even suffice.
Chris  2010-07-16 03:30:40
Ok, then I will go with sliding expiration, do you know any good article where its explained, preferably with asp.net mvc?
San  2010-07-16 03:39:24
just search for "asp.net forms authentication sliding expiration". there's bound to be tons of articles. :-)
Franci Penov  2010-07-16 03:43:55
+3  A: 

Implement sliding expiration. Leave the expiration time to some reasonable value - day, two, week max; renew the cookie on each request (simplest) or at certain intervals.

Franci Penov  2010-07-16 03:20:16
This will also work, and is probably better than using an expiry of 1 year
Chris  2010-07-16 03:24:42

related questions

What's the best way to implement field validation using ASP.NET MVC?
How do I handle page flow in MVC (particularly asp.net)
Entity diagrams in ASP.NET MVC
How do I get rid of Home in ASP.Net MVC?
Can I generate ASP.NET MVC routes from a Sitemap?
ASP.NET Model-view-controller (MVC) - where do I start from?
user controls and asp.net mvc
ASP.Net MVC route mapping
RSS Feeds in ASP.NET MVC
Open Source Licensing Options for ASP.NET MVC Application?
Does the OutputCacheFilter in the Microsoft MVC Preview 4 actually save on action invocations?
MVC Learning Resources
Validating posted form data in the ASP.NET MVC framework
Best mock framework that can do both WebForms and MVC?
Use the routing engine for form submissions in ASP.NET MVC Preview 4
How do you get a custom id to render using HtmlHelper in MVC
MVC Preview 4 - No route in the route table matches the supplied values.
Is there a way to include a fragment identifier when using Asp.Net MVC ActionLink, RedirectToAction, etc. ?
In ASP.NET MVC I encounter an incorrect type error when rendering a user control with the correct typed object
ASP.NET MVC - Is it worth it yet?
Multiple languages in an ASP.NET MVC application?
Is it better to create Model classes, or just stick with generic database utility class?
ASP.NET MVC Without Visual Studio
ASP.NET MVC "CRUD" Database Sample
How to RedirectToAction in ASP.NET MVC without losing request data