senior_internet
asked on
ASP.Net persistent cookie not working
Hi all,
We are using a standard Asp.net Login control to authenticate users in a web
application. We have allowed the 'remember me' checkbox to be displayed. We
have set the the cookie timeout (in the forms element of the web.config) to
be 525600 (1 year). The cookie seems to be working initially but after a
certain amount of time (a day or two, it seems to vary), the application
stops remembering us and prompts us to log in again. The strange thing is
that the cookie still exists on the client machine and has an expiry date of
a year from now so why would the application not be recognising it? I thought it might be the machine key changing that was stopping the cookie from being decoded properly so I manually enetered a machine key into the web.config. Unfortunately that made no difference.
I'm running on IIS version 6 using Asp.net v2.0.
Here's the entire authentication section of the web.config
<authentication mode="Forms">
<forms name=".ASPXAUTH"
protection="All"
timeout="525600"
path="/"
requireSSL="false"
slidingExpiration="true"
cookieless="UseDeviceProfi le"
loginUrl="~/UserAccount/Lo gin.aspx"
defaultUrl="~/Default.aspx "/>
</authentication>
Here's the section of the web.config that sets the machine key (which seems to make no difference)
<system.web>
<machineKey validationKey="106DF81D159 AD13D9.... .......154 F064EE22EF 779E845C" decryptionKey="0D8DACE2842 31159C78AB 6937480... ....FFD0A8 D8"
validation="SHA1"
decryption="AES" />
Here's the login control converted to a template:
<asp:Login ID="login1" runat="server">
<LayoutTemplate>
<div class="list_form">
<asp:Label ID="UserNameLabel" runat="server"
AssociatedControlID="UserN ame">
<span>User Name:</span>
<asp:TextBox ID="UserName" runat="server"></asp:TextB ox>
<asp:RequiredFieldValidato r ID="UserNameRequired"
runat="server"
ControlToValidate="UserNam e"
ErrorMessage="User
Name is required."
ToolTip="User
Name is required."
ValidationGroup="login"
Display="Dynamic">*</asp:R equiredFie ldValidato r>
</asp:Label>
<div class="clear"></div>
<asp:Label ID="PasswordLabel" runat="server"
AssociatedControlID="Passw ord">
<span>Password:</span>
<asp:TextBox ID="Password" runat="server"
TextMode="Password"></asp: TextBox>
<asp:RequiredFieldValidato r ID="PasswordRequired"
runat="server"
ControlToValidate="Passwor d"
ErrorMessage="Password
is required."
ToolTip="Password
is required."
ValidationGroup="login"
Display="Dynamic">*</asp:R equiredFie ldValidato r>
</asp:Label>
<div class="clear"></div>
<asp:Label ID="Label1" runat="server" AssociatedControlID="Remem berMe">
<span>Remember me</span>
<asp:CheckBox ID="RememberMe" runat="server" />
</asp:Label>
<asp:Literal ID="FailureText" runat="server"
EnableViewState="False"></ asp:Litera l>
<div class="buttons">
<asp:Button ID="LoginButton" runat="server" CommandName="Login" Text="Log In" ValidationGroup="login" />
</div>
</div>
</LayoutTemplate>
</asp:Login>
And here's a summary of the cookie content as displayed by firefox even when the site is asking me to log in.
Name .ASPXAUTH
Value 60BCF4E7E052FE454EC......7 AF74
Host our.website.co.uk
Path /
Secure No
Expires Fri, 12 Sep 2009 10:03:16 GMT
Is there anything I could be missing here that would make the application ignore this cookie?
Many Thanks,
Chris.
We are using a standard Asp.net Login control to authenticate users in a web
application. We have allowed the 'remember me' checkbox to be displayed. We
have set the the cookie timeout (in the forms element of the web.config) to
be 525600 (1 year). The cookie seems to be working initially but after a
certain amount of time (a day or two, it seems to vary), the application
stops remembering us and prompts us to log in again. The strange thing is
that the cookie still exists on the client machine and has an expiry date of
a year from now so why would the application not be recognising it? I thought it might be the machine key changing that was stopping the cookie from being decoded properly so I manually enetered a machine key into the web.config. Unfortunately that made no difference.
I'm running on IIS version 6 using Asp.net v2.0.
Here's the entire authentication section of the web.config
<authentication mode="Forms">
<forms name=".ASPXAUTH"
protection="All"
timeout="525600"
path="/"
requireSSL="false"
slidingExpiration="true"
cookieless="UseDeviceProfi
loginUrl="~/UserAccount/Lo
defaultUrl="~/Default.aspx
</authentication>
Here's the section of the web.config that sets the machine key (which seems to make no difference)
<system.web>
<machineKey validationKey="106DF81D159
validation="SHA1"
decryption="AES" />
Here's the login control converted to a template:
<asp:Login ID="login1" runat="server">
<LayoutTemplate>
<div class="list_form">
<asp:Label ID="UserNameLabel" runat="server"
AssociatedControlID="UserN
<span>User Name:</span>
<asp:TextBox ID="UserName" runat="server"></asp:TextB
<asp:RequiredFieldValidato
runat="server"
ControlToValidate="UserNam
ErrorMessage="User
Name is required."
ToolTip="User
Name is required."
ValidationGroup="login"
Display="Dynamic">*</asp:R
</asp:Label>
<div class="clear"></div>
<asp:Label ID="PasswordLabel" runat="server"
AssociatedControlID="Passw
<span>Password:</span>
<asp:TextBox ID="Password" runat="server"
TextMode="Password"></asp:
<asp:RequiredFieldValidato
runat="server"
ControlToValidate="Passwor
ErrorMessage="Password
is required."
ToolTip="Password
is required."
ValidationGroup="login"
Display="Dynamic">*</asp:R
</asp:Label>
<div class="clear"></div>
<asp:Label ID="Label1" runat="server" AssociatedControlID="Remem
<span>Remember me</span>
<asp:CheckBox ID="RememberMe" runat="server" />
</asp:Label>
<asp:Literal ID="FailureText" runat="server"
EnableViewState="False"></
<div class="buttons">
<asp:Button ID="LoginButton" runat="server" CommandName="Login" Text="Log In" ValidationGroup="login" />
</div>
</div>
</LayoutTemplate>
</asp:Login>
And here's a summary of the cookie content as displayed by firefox even when the site is asking me to log in.
Name .ASPXAUTH
Value 60BCF4E7E052FE454EC......7
Host our.website.co.uk
Path /
Secure No
Expires Fri, 12 Sep 2009 10:03:16 GMT
Is there anything I could be missing here that would make the application ignore this cookie?
Many Thanks,
Chris.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
1. Is this behavior the same. regardless of browser?
2. If you're using two different machines do they "lose" their cookie (ask for authentication) at the same time?
I think this looks like a server restart...