09-17-06 12:28 AM
Hello Steve,
I'm not sure about the exact solution to the problem that you are
reporting, however, you may want to rethink making the authentication
cookie persistent. This would typically represent a significant security
risk.
I would suggest that you take a look at the CS2007 starter site (currently
the CTP release). The starter site uses a separate "Remember Me" cookie
that is persistent, but the presence of this cookie is not used to
authenticate the user. So if the user returns in a separate browser
session, the site can recognize the user from the cookie but the user is
still required to authenticate before checking out or accessing private
user information.
Hope that helps
-djm
--
This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use. © 2006 Microsoft Corporation. All rights
reserved.
--------------------
Subject: RE: Login in Commerce Server
Date: Tue, 12 Sep 2006 04:05:04 -0700
I forgot to mention:
The default timeout duration is 30min. Setting a high value like 525600 to
cover a whole year is not the best solution for an e-Commerce website.
Since a user might close his browser without logging off, and the cookie
will remains on the computer he was using. So I need to set timeout to
30min.
and change that value to a high number for users who check the "remember
me"
box.
if I get the cookie from the request and tried to change its expiration
time
(for ex. add 1 year) then push the cookie back to the client:
Response.Cookies.Add(cookie); the cookie still maintain an expiration date
of
1/1/0001 : expired.
"Steve" wrote:
> Hello,
>
> I am using a login control on the login page of a website running MSCS
2007
> using UpmMembershipProvider as default provider. The website module where
> "authenticate request, beging request, end request" are very similar to
MSCS
> 2007 starter site.
>
> Most is going well, but for a problem with the Login control remember me.
>
> I know that the remember me set will mark a cookie as persistent to
survive
> a browser restart BUT will not last for 50 years as in ASP.net 1.1
>
> so I tried a code (like the one in here : to make it expires after a long
> period of time) for ex:
> if (enLogin.RememberMeSet == true)
> {
> HttpCookie cookie =
> Request.Cookies.Get(FormsAuthentication.FormsCookieName);
> if (cookie != null)
> {
> // change the value to increase the cookies expiration by
1
> year
> cookie.Expires = DateTime.Now.AddYears(1);
> HttpContext.Current.Response.Cookies.Add(cookie);
> }
>
> }
>
> But the cookie still expires after the period specified in the timeout
> property of the authentication - forms member of the web.config
>
> furthermore, If I retrieve all the cookies from the Response object, I
can't
> get any cookie !!! even before timeout duration...
>
> If I retrieve all cookies in the Resquest object. all cookies expires in
> 0001 i.e. expired the duration specified in: cookie.Expires =
> DateTime.Now.AddYears(1); is not set.
>
> Any advice concerning this issue, I haven't found any solution yet on the
> internet regarding this problem. Please Advise.
 Attachment:
This has been downloaded 0 time(s).
[ Post a follow-up to this message ]
| 
