Sync session with authentication ticket to keep user logged on

Sheritlw
Sheritlw used Ask the Experts™
on
I am using asp.net 3.5 with master pages.

When the user initially logs in and sets remember me to true, I would like to keep them logged in for 2 months.  

I only use 1 session variable and that is to hold the userid.  I use this id everywhere throughout the application.  

I also use forms authentication and in IIS 7.5, I have set it not to expire for 2 months.
Problem is that although I have a procedure that checks and re-activates a session if user is authenticated, it does not do it very every procedure.

I would like to have the program recognize the user when they go to the web application and redirect them accordingly.  

I am lost when it comes to authentication.  

I hope this makes sense.

Thanks
 
#### Check and create session
 Public Function CheckSessionAndReturnUser() As String
        'need to check authorization ticket
        Dim s As String = Nothing
        If Session("UserID") = Nothing Then
            If My.User.IsAuthenticated Then
                s = SetUserIDSession()              
            Else
                s = Nothing
            End If
        Else
            s = Session("UserID").ToString
        End If
        Return s

    End Function

### web.config
<authentication mode="Forms">
<forms loginUrl="Login.aspx" enableCrossAppRedirects="true" 
   slidingExpiration="true" cookieless="AutoDetect" 
   timeout="10" defaultUrl="/Stylist/Client_Services.aspx"
   name=".ASPXAUTH"/>
</authentication>

### Login.aspx (I don't use the login control)
Protected Sub LoginButton_Click(ByVal sender As Object, ByVal e As System.EventArgs)    
  If Membership.ValidateUser(txtUserName.Text, txtPassword.Text) Then
    If Me.RememberMe.Checked Then         
       Dim authTicket As FormsAuthenticationTicket = New FormsAuthenticationTicket(1, txtUserName.Text, Today.Date, Today.AddMonths(2), True, "", FormsAuthentication.FormsCookiePath)
       FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, True)
       Dim encryptedTicket As String = FormsAuthentication.Encrypt(authTicket)
       Dim cookie As HttpCookie = New HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket)
       cookie.Expires = authTicket.Expiration
       HttpContext.Current.Response.Cookies.Set(cookie)
    End If
       FormsAuthentication.SetAuthCookie(txtUserName.Text, True)
       Response.Redirect("/Stylist/Redirecting.aspx?NewStylist=" & Me.HiNewStylist.Value.ToString & "")
  Else
    Alert.Show("The email and/or password is incorrect.  Please retype your login information or click Register for a new account below.")
  End If
End Sub

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
where are you persisting the session?

Author

Commented:
I am not sure what you mean.
In the CheckSessionAndReturnUser function above, I reset it, if the user is authenticated.
I do have the following in my master pages load event.

 
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
        'If Not Page.IsPostBack Then

        If Session("UserID") = Nothing Then
            Dim s As String = Nothing
            Dim u As New SalonUtilities
            s = u.CheckSessionAndReturnUser
            If s = Nothing Then
                Response.Redirect("/login.aspx")
            End If
        End If
        ' End If

   End Sub

Open in new window


Thanks
I hope you understand the session state management in asp.net. I was wondering if you are storing the session as Inproc (default) or state server or sql server

Author

Commented:
Storing it as InProc.
I have read so much about sessions and authorizations, that my mind is scrambled and none of it makes since anymore.

I really do appreciate your help,

Thanks
As you are storing InProc, the session data is available only until the process is re-cycles. The data will be lost if the process is re-cycled.

You should be storing it in sql server or a state server

Author

Commented:
My question was how to sync them.  I am sure there are better ways to do this, but after numerous searches, I haven't been able to find any examples on how to correctly setup authentication with a session variable.
If I had one, I would change it... but I am in the middle of beta testing so I can't take the time to try and unscramble what I have read.
If you have an example that would be great.

Thanks
Add  "Response.Cookies.Clear()" before add the forms authentication cookie. below is the code.


Protected Sub LoginButton_Click(ByVal sender As Object, ByVal e As System.EventArgs)    
  If Membership.ValidateUser(txtUserName.Text, txtPassword.Text) Then
    If Me.RememberMe.Checked Then        
      Response.Cookies.Clear()
       Dim authTicket As FormsAuthenticationTicket = New FormsAuthenticationTicket(1, txtUserName.Text, Today.Date, Today.AddMonths(2), True, "", FormsAuthentication.FormsCookiePath)
       FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, True)
       Dim encryptedTicket As String = FormsAuthentication.Encrypt(authTicket)
       Dim cookie As HttpCookie = New HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket)
       cookie.Expires = authTicket.Expiration
       HttpContext.Current.Response.Cookies.Set(cookie)
    End If
       FormsAuthentication.SetAuthCookie(txtUserName.Text, True)
       Response.Redirect("/Stylist/Redirecting.aspx?NewStylist=" & Me.HiNewStylist.Value.ToString & "")
  Else
    Alert.Show("The email and/or password is incorrect.  Please retype your login information or click Register for a new account below.")
  End If
End Sub

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial