ASP.NET Identity Remember Me
ASP.NET Identity comes with a built-in Remember Me feature on the Login form, it's supposed to keep a user logged in (via an authentication cookie) for a predetermined period of time set via your code settings.
However it sometimes might not work as expected and users will have to frequently log in which will cause quite a bit of frustration. Your first reaction is to modify your code then test / rinse / repeat and possibly still see the same unsuccessful results ... did you also check your website's IIS settings?
You'll only see the validateInterval which we'll get to shortly, the other component ExpireTimeSpan is unfortunately hidden so you have to explicitly add it to change its value.
ExpireTimeSpan is the actual cookie lifetime duration which is set by default to 14 days so you need to change that value depending on your requirements. Worth mentioning that it works together with another setting SlidingExpiration which is also hidden and set to True by default. If set to True and a users logs in 10 days after his initial login then it's another 14 days so to stop that behavior and force him to re-login 4 days later you need to set it to False.
Ok so what is validateInterval and why do we need it? validateInterval only checks that the cookie security stamp is still valid after the default 30 minutes . The security stamp gets changed after a password change or adding 3rd party logins to an account. It's not of much value compared to ExpireTimeSpan so it's a pretty odd decision to show the property that's rarely going to be modified and hide the one that you most probably want to change.
If you go to your web application's IIS Advanced Settings, scroll down the the Process Model section and check your Idle Time-out(minutes) value, the corresponding Idle Time-out Action would typically be Terminate .
The default value for Idle Time-out(minutes) is 20 minutes which could very well happen on sites with low traffic or during off hours so if your ExpireTimeSpan is set to let's say 1 day then you will have to log back in before that, maybe more than once which can be frustrating for end users.
The recommended setting is to simply set Idle Time-out(minutes) to 0 which will disable it. There are cases where you may want the app pool to recycle more often but you can then tweak the IIS Application Pool recycling value for that or adjust both together as needed.
Happy Coding!
[original publish date: 01/15/16]
However it sometimes might not work as expected and users will have to frequently log in which will cause quite a bit of frustration. Your first reaction is to modify your code then test / rinse / repeat and possibly still see the same unsuccessful results ... did you also check your website's IIS settings?
Code Settings
Let's first take a look at the Code configuration settings. If you create a new default MVC 5.x application in Visual Studio (with Authentication set to Individual User Accounts) the following code is generated (in /App_Start/Startup.Auth.cs):app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Provider = new CookieAuthenticationProvider
{
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(30),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
}
ExpireTimeSpan = TimeSpan.FromDays(14);
});
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);You'll only see the validateInterval which we'll get to shortly, the other component ExpireTimeSpan is unfortunately hidden so you have to explicitly add it to change its value.
ExpireTimeSpan is the actual cookie lifetime duration which is set by default to 14 days so you need to change that value depending on your requirements. Worth mentioning that it works together with another setting SlidingExpiration which is also hidden and set to True by default. If set to True and a users logs in 10 days after his initial login then it's another 14 days so to stop that behavior and force him to re-login 4 days later you need to set it to False.
Ok so what is validateInterval and why do we need it? validateInterval only checks that the cookie security stamp is still valid after the default 30 minutes . The security stamp gets changed after a password change or adding 3rd party logins to an account. It's not of much value compared to ExpireTimeSpan so it's a pretty odd decision to show the property that's rarely going to be modified and hide the one that you most probably want to change.
IIS Settings
So you've made all the code changes yet it's not working as expected for end-users, what's going on? One more thing to check is your web application's IIS settings, in particular Idle Timeout.If you go to your web application's IIS Advanced Settings, scroll down the the Process Model section and check your Idle Time-out(minutes) value, the corresponding Idle Time-out Action would typically be Terminate .
The default value for Idle Time-out(minutes) is 20 minutes which could very well happen on sites with low traffic or during off hours so if your ExpireTimeSpan is set to let's say 1 day then you will have to log back in before that, maybe more than once which can be frustrating for end users.
The recommended setting is to simply set Idle Time-out(minutes) to 0 which will disable it. There are cases where you may want the app pool to recycle more often but you can then tweak the IIS Application Pool recycling value for that or adjust both together as needed.
Happy Coding!
[original publish date: 01/15/16]
Comments
Post a Comment