what is the best way to keep a user logged in

I am using c# and asp.net

Is there a way to identify the computer in a uniquely.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
What kind of app?  Windows desktop?  Web?  If you are running in a web server, IIS creates a session id for every new connection.  Technically, it only identifies the user/web browser that has connected but that is normally what is needed on a web site.
goodkAuthor Commented:
web using asp.net but not using build in login system. trying to write my own system so it is not easy to break by being different.
goodkAuthor Commented:
How do google do it?
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

goodkAuthor Commented:
I am trying to find out if you guys have any idea how google and facebook keeps you logged in?
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
AFAIK those sites set a cookie on your machine if you decide to stay logged in. If not using persistent login, each web pages contains code to identify you, in an ecnrytpted way with local machine data as key (to prevent intercepting or faking).
Kamal KhaleefaInformation Security SpecialistCommented:
i recommend when the user log in save his ID in a session or some variable

and at Master Page (Page is post back) re validate the user and extend the time out
☠ MASQ ☠Commented:
Google uses persistent cookies - you're going to need something client-side on the user's machine to identify the logged in status of the account but you could store all the user preferences and settings server-side.  Google stores most of your preferences client-side.  Check your browser cookies and delete their cookies individually if you want to see how their use of multiple cookies manages your communications with them (including tracking and advertising). Cookies are inherently understood by browsers and if your interface is browser-based I'd think carefully about reinventing the cookie.
btanExec ConsultantCommented:
long session login >> persistent session - Considerations has to include use of long-term data storage using session, cookie and/or cache. See further pt below. Definitely I see them more appropriate data containers than QueryStrings

(a) Session - as long as the user is active, plus a timeout period (typically 20 minutes). e.g. "timeout" can be configured in the Web.config or Machine.config with the sessionState element. However the challenge is ASP.NET_SessionId is a session cookie so as soon as the user closes the browser it gets another SessionID. It does not persists. Session need more "helping" esp when it is not supposed to store login information. Typically a separate cookie with FormsAuthentication cookie or Own Authentication cookie depending on the login system used.
(b) Cookie - Possibly need to have two cookie for ASP.NET_SessionId and another own appl cookie whereby the value in the former is content of your own appl cookie. Your own appl cookie has value for the SessionID and include Expires period (maybe based on DateTime ..). The challenge is to make sure own appl cookie is ard...persistent cookie is not bad

(c) Cache - Cache object may be better preferred for persisting data within an ASP.NET application. Like, its has ability to execute a callback (uses delegates or function pointers) when an item in the cache expires.

Ref - https://msdn.microsoft.com/en-us/magazine/cc300437.aspx

just few quick thoughts ... but having prolonged session may not be wise - wearing the security hat ...
goodkAuthor Commented:
Here are some of the challenges/question/comments I have.

1- The server (I am using GoDaddy.com)  time outs the session variables only in 5 minutes.
2- Do you think some people may not allow to deposit the cookies?  If yes, then how is it a general solution?
3- I can use this, string sessionId = System.Web.HttpContext.Current.Session.SessionID;  So should this may be not enough to keep a user logged in and identified, if I am saving the session in my DB? My question is does it get refreshed even if the session has expires when the form is resubmitted after say few hours?
goodkAuthor Commented:
Ok, This is the algorithm I am thinking.

1- Save the sessionid and associated user info in a DB.
2- Send sessionid as a hidden field on all forms and some salts.
3- Use cookies if a user is on his personal computer and has the cookies on for a prolonged logged in.

Does that make any sense to the experts? Please comment. Thanks
btanExec ConsultantCommented:
2 - Client browser has clean away the cookies and yes it can be disabled for managed enterprise machine and some even strip it off at their proxy (browsing from office and using office machine). Hence to "solve" this, another cookie store was created on the client side and they called these “server cookies”. When the user decided to turn off cookies, these cookies stay alive, as they are in a different store. The rule of cookie checks has to be verified by yourself at backend and the store for server cookies was designed to purge when the user left the site. You on the server side has some control. The end result is while it is harder to turn off server cookies in all browsers, it is not impossible if user still .

3 - it follows the "ASP.NET_SessionId " by default and reuse as long as the cookies has not expired based on timeout as shared prev. but once browser is closed or new (re-)login session initiated, the sessionID changes.

In short for Server Side Persistence, you are looking at Database, Files (XML or otherwise), Cache (temporary) and Session (temporary). For Client Side Persistence, Cookies is the mean. Catch fig 1  in https://msdn.microsoft.com/en-us/magazine/cc300437.aspx

Session may be more preferred but note
If the user has disabled the cookies then the ASP.NET framework uses the URL to keep track of session and authentication data. the unique session ID is then put in the urls and used to track the user session. If the web page contain links i.e. hrefs then the same session ID will also be associated with all the href links. This process in ASP.NET terminology known as cookie munging.

From your steps proposed, it looks fine using the DB ( I assumed MS SQL) https://msdn.microsoft.com/en-us/library/ms178194(v=vs.140).aspx

Cookies can still be consider just that it is not easily to manage at client end. If used need to secure that cookie with httponly and secure flag turned on to persist. You should also never store sensitive data in a cookie, such as user names, passwords, credit card numbers, and so on.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
goodkAuthor Commented:
Thank you so much.  Would someone have a c# library to do this to share?
btanExec ConsultantCommented:
Maybe good to catch this from codeproject - not library but the guide through will help with some sample codes shared...http://www.codeproject.com/Articles/32545/Exploring-Session-in-ASP-Net
...and this on various session state options
let us see what all session management techniques are present in the ASP.NET framework.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.