Permanent login in mvc.net

https://stackoverflow.com/questions/20994520

25-09-2022
|

Question

I am working on permanent login in MVC.net application, i have tried using IsPersistent = true in FormAuthantication, but if i restart iis then it logs out the uses below is the code which is responsible for loging in.

public void SetLoginData(UserLoginInfo userLoginInfo)
        {
            HttpContext .Current.Session[SessionUserEmailIdKey] = userLoginInfo.Email;
            HttpContext.Current.Session[SessionWelcomeNameKey] = userLoginInfo.FirstName;
            HttpContext.Current.Session[SessionWelcomeRegistrationIdKey] = userLoginInfo.RegistrationId;

            HttpContext.Current.Session[SessionLoginInfoKey] = userLoginInfo;
            const bool isPersistent = true;
            const string userData = "user";

            var ticket = new FormsAuthenticationTicket(1,
                                                       userLoginInfo.RegistrationId.ToString(
                                                           CultureInfo.InvariantCulture),
                                                       DateTime.UtcNow,
                                                       DateTime.UtcNow.AddMinutes(180),
                                                       isPersistent,
                                                       userData,
                                                       FormsAuthentication.FormsCookiePath);

            string encTicket = FormsAuthentication.Encrypt(ticket);
            HttpContext.Current.Request.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName, encTicket));
            HttpContext.Current.Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName, encTicket));
        }

please tell me how can i implement login so that even though app restarts, users will not e logged out.

Solution

In order to create perpetual logins, you will need to make sure two things are in place (since you are using FormsAuthentication).

First - ensure your ticket expiration time is set to sometime way out in the future

 = new FormsAuthenticationTicket(1,
        userLoginInfo.RegistrationId.ToString(CultureInfo.InvariantCulture),
        DateTime.UtcNow,
        DateTime.UtcNow.AddYears(20),
        isPersistent,
        userData,
        FormsAuthentication.FormsCookiePath);

Second (and most likely why users are getting kicked out of the site when you reboot IIS) is to create a machineKey section in your web.config with a static key pair set. By default, IIS autogenerates a machineKey per app. This is what is used to encrypt/decrypt your forms authentication tickets. If IIS restarts, you will most likely get a new machine key in this instance, which means that the ticket cannot be decrypted.... meaning user has to log in again. By creating/defining a static key, you can prevent a key change when IIS recycles. Information on setting the machine key can be found on MSDN here.

Lastly, forms authentication has ZERO to do with sessions and session management. They are mutually exclusive and do not impact each other in typical scenarios. When a user logs in, they are given an encrypted cookie containing the expiration time and user name. This is NOT stored in session, so adjusting session settings will have no impact on user logins.

Licensed under: CC-BY-SA with attribution

Not affiliated with StackOverflow