如何让用户保持登录状态 2 周？

Question

HI

I am using asp.net mvc with asp.net membership.

I want to have a checkbox that if clicked keeps the users signed in for 2 weeks(unless they clear their cookies).

So I know their is

FormsAuthentication.SetAuthCookie(userName, createPersistentCookie)

but I don't know how to set it up for 2week retention.

I rewrote most of the membership stuff. So I don't use stuff like Create() and VerifyUser().

Answer 1

Add a hash key or a random string to both the cookie and the database (both the same key). If the cookie and database value are the same, when the user starts a new session, sign him/her in again. When the user reaches the two weeks, remove the secret key from the database using a cronjob (Unix) or scheduled task (Windows).

Do not rely on the cookie expire date, since people can hack their browser.
NEVER, EVER trust ANY of your users!

Answer 2

You can set the global session timeout (the value is in minutes) in web.config eg.

<system.web>
    <authentication mode="Forms">
          <forms timeout="20160"/>
    </authentication>
</system.web>

This will be for all authenticated users. If you want to use the 'Remember Me' functionality then you will need to write your own code to set the cookie/ticket. Something like this (taken from here ):

protected void Page_Load()
{
    if (Request.Cookies["username"] == null || Request.Cookies["username"].Value.ToString().Trim() == "")
    {
        Login1.RememberMeSet = true; 
    }
    else
    {
        Login1.UserName = Request.Cookies["username"].Value.ToString().Trim();
        Login1.RememberMeSet = true; 
    }
}
protected void RememberUserLogin()
{
    // Check the remember option for login

    if (Login1.RememberMeSet == true)
    {
        HttpCookie cookie = new HttpCookie("username");
        cookie.Value = Login1.UserName.Trim(); 
        cookie.Expires = DateTime.Now.AddHours(2);

        HttpContext.Current.Response.AppendCookie(cookie);
        Login1.RememberMeSet = true; 

    }
    else if (Login1.RememberMeSet == false)
    {
        HttpContext.Current.Response.Cookies.Remove("username");
        Response.Cookies["username"].Expires = DateTime.Now;
        Login1.RememberMeSet = false; 
    }

}

Answer 3

只需使用具有 2 周到期日期的简单 cookie。

Answer 4

Have you seen this?

http://forums.asp.net/t/1440824.aspx

Along similar lines to what Koning has suggested.

Answer 5

You can not use a session method to keep your users logged in, since browsers delete the session cookies when the browser is closed.

Do what user142019 offered and set the session's IdleTimeout parameter very short, up to 15 min. When the server receives any request from the browser, first check the session if it's alive. if not, try to get the cookie. If the cookie and database value are the same and not expired, assign it to the (new) session and return the response.

You can use onBeforeUnload listener to send a logout request when the user leaves your site. If logged out, delete the cookie and the db record, if not - assign a new hash for the next auto login and refresh that hash again when the user retunes to your website. You can also keep track of IP and the browser and link them to the hash in your db. So, in case if the cookie is used with another browser or IP, and the hash code is valid, you can force them to login again.