How can I log any login operation in case of "Remember Me" option ?

Question

I have an asp.net login web form that have ( username textBox - password textBox ) plus Remember Me CheckBox option When user login i do the below code

if (provider.ValidateUser(username, password))
{
    int timeOut = 0x13;
    DateTime expireDate = DateTime.Now.AddMinutes(19.0);
    if (rememberMeCheckBox.Checked)
    {
        timeOut = 0x80520;
        expireDate = DateTime.Now.AddYears(1);
    }

    FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(username, true, timeOut);
    string cookieValue = FormsAuthentication.Encrypt(ticket);
    HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, cookieValue);
    cookie.Expires = expireDate;
    HttpContext.Current.Response.Cookies.Add(cookie);

    AddForLogin(username);
    Response.Redirect("...");
}

as in code after user is authenticated i log that he login in db by calling method AddForLogin(username);
But if user choose remember me in login and then he try to go to site any time this login method isn't executed as it use cookies ... so i have many questions:

1- Is this the best way to log login operation or is there any other better ?
2- In my case how to log login operation in case of remember me chosen by user ?

Answer 1

The best way to implement login operation is to implement your login design.It seems in your code,you're using built-in functionality plus logging custom information.

In order to log login information you can customize your Provider.Indeed there will be some db changes around,but you can handle them by stored procedures with no change in entire code.For example,create a new table that holds as many information as you wish including login operation(i mean how user is logged in,is it first time or is user already chosen remember me option so that user logged in by cookie)

Best Regards
Myra

Answer 2

Currently you do not have enough info to distinguish the two cases. I think that the easiest way to do what you want would be to add a temp cookie when the user logs in and then in you page class, if the temp cookie is not present, then they are using the remember me option. Then you can log this and set the temp cookie.

Answer 3

What I ended up doing in one application I used was test in Session_Start() if they were logged in, and do the logging there. I found that this did capture people whose login was successful due to their login cookie still being valid (so they didn't need to explicitly log in)

You'll have to test what effect this has on regular log ins to assure you aren't logging them twice, but that's simple enough to figure out. My app actually excludes logging logins when the last login was within 5 minutes, but that's just to limit how many records are there, too.

Answer 4

If I understand what you are hoping to accomplish, maybe FormsAuthentication_OnAuthenticate in your application class (global.asax.cs) would be the right place to log the login?

Answer 5

Here's my opinion after read through all the other answers.

Below is my idea with performance consideration in mind:

1. Create a login logging interval settings, say 12 hours or 24 hours (your choice). You can store this settings in web.config appSettings. The smaller the value, the higher performance hit.

2. When users login successfully at the login page manually, log it to your datastore and set a cookie with the current datetime (Last logged login datetime).

3. Whenever users make a page request, compare the difference between the last logged login datetime stored in the cookie and the current request datetime. If the difference is less than the interval specified in the settings, do not log it. If it is larger, refresh the cookie value to the current datetime and log the login to your datastore. This step is to reduce performance hit.