Persistent Cookies in Forms Authentication
The examples you've seen so far have used a nonpersistent authentication cookie to maintain the authentication ticket between requests. This means that if the user closes the browser, the cookie is immediately removed. This is a sensible step that ensures security. It's particularly important with shared computers to prevent another user from using a previous user's ticket. Nonpersistent cookies also make session hijacking attacks (where a malicious user gains access to the network and steals another user's cookie) more difficult and more limited.
Despite the increased security risks of using persistent authentication cookies, it is appropriate to use them in certain situations. If you are performing authentication for personalization rather than for controlling access to restricted resources, you may decide that the usability advantages of not requiring users to log in on every visit outweigh the increased danger of unauthorized use.
Once you have decided to use persistent cookies, implementing them is easy. You simply need to supply a value of true rather than false for the second parameter of the RedirectFromLoginPage() or SetAuthCookie() method of the FormsAuthentication class. Here's an example:
FormsAuthentication.RedirectFromLoginPage(UsernameText.Text, True)
By default, persistent cookies do not expire unless the FormsAuthentication.SignOut() method is used. Persistent cookies are not affected by the timeout attribute that is set in the <forms> element of the web.config file. If you want the persistent cookie to eventually expire sometime in the future, you have to use the GetAuthCookie() method of FormsAuthentication, set the expiry date and time, and then write the cookie to the HTTP response yourself.
The following example rewrites the code that authenticates the user when the login button is clicked. It creates a persistent cookie but performs additional steps to limit the cookie's life span to ten days:
Protected Sub LoginAction_Click(ByVal sender As Object, ByVal e As EventArgs) If Not Page.IsValid Then
Return End If
If FormsAuthentication.Authenticate(UsernameText.Text, PasswordText.Text) Then ' Create the authentication cookie Dim AuthCookie As HttpCookie
AuthCookie = FormsAuthentication.GetAuthCookie(UsernameText.Text, True) AuthCookie.Expires = DateTime.Now.AddDays(lo)
' Add the cookie to the response Response.Cookies.Add(AuthCookie)
' Redirect to the originally requested page Response.Redirect(FormsAuthentication.GetRedirectUrl _ (UsernameText.Text, True))
Else
' User name and password are LegendStatus.Text = "Invalid End If End Sub
The code for checking the credentials is the same in this scenario. The only difference is that the authentication cookie isn't added automatically. Instead, it's created with a call to GetAuthCookie(), which returns a new instance of HttpCookie, as shown here:
Dim AuthCookie As HttpCookie
AuthCookie = FormsAuthentication.GetAuthCookie(UsernameText.Text, True)
Once you've created the authentication cookie, you can retrieve the current date and time (using the DateTime.Now static property), add ten days to it (using the DateTime.AddDays() method), and use this value as the expiry date and time of the cookie:
AuthCookie.Expires = DateTime.Now.AddDays(lo)
Next, you have to add the cookie to the HTTP response:
Response.Cookies.Add(AuthCookie)
Finally, you can redirect the user to the originally requested URL, which you can obtain by using the GetRedirectUrl() method:
Response.Redirect(FormsAuthentication.GetRedirectUrl _ (UsernameText.Text, True))
The end result is a cookie that will persist beyond the closing of the browser but that will expire after ten days, at which point the user will need to reenter credentials to log into the website.
Post a comment