Clever Geek Handbook

User logs out with "Remember me"

I seem to be having trouble understanding how Identity 2.0 and cookies work. ASP.NET MVC 5.

What I want: If a user logs in and he checks the Remember me checkbox, I don't want him to log out ever. But the following happens: the user logs out after a certain period of time.

The Remember Me feature works if the user closes the browser before the break. (When he opens the website again, he logs in anyway.)

This is the login code:

 public async Task<ActionResult> Login(LoginViewModel model, string returnUrl)
 {
      if (!ModelState.IsValid)
      {
           return View(model);
      }

      // Require the user to have confirmed their email before they can log on.
      var user = await UserManager.FindByNameAsync(model.Email);
      if (user != null)
      {
           if (!await UserManager.IsEmailConfirmedAsync(user.Id))
           {
                await SendEmailConfirmationTokenAsync(user.Id);

                ModelState.AddModelError("", "Gelieve eerst je e-mailadres te bevestigen.");
                return View(model);
            }
      }

      // This doesn't count login failures towards account lockout
      // To enable password failures to trigger account lockout, change to shouldLockout: true
      var result = await SignInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, shouldLockout: true);
      switch (result)
      {
           case SignInStatus.Success:
                return RedirectToLocal(returnUrl);
           case SignInStatus.LockedOut:
                return View("Lockout");
           case SignInStatus.Failure:
           default:
                ModelState.AddModelError("", "Ongeldige aanmeldpoging.");
                return View(model);
      }
 }

And this is the code in Startup.Auth:

 app.UseCookieAuthentication(new CookieAuthenticationOptions
 {
      AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
      LoginPath = new PathString("/Account/Login"),
      ExpireTimeSpan = TimeSpan.FromMinutes(5),
      Provider = new CookieAuthenticationProvider
      {
           // Enables the application to validate the security stamp when the user logs in.
           // This is a security feature which is used when you change a password or add an external login to your account.

           OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser, int>(
                validateInterval: TimeSpan.FromMinutes(10),
                regenerateIdentityCallback: (manager, user) => user.GenerateUserIdentityAsync(manager),
                getUserIdCallback: (id) => (id.GetUserId<int>()))
      }
 });

So, I expect the user to not be logged out after 5 minutes because the isPersistent flag is set in the PasswordSignInAsync function.

Thanx for any help.

+3


source to share


1 answer


This is a known bug .

It can be fixed by replacing it SecurityStampValidator.OnValidateIdentity

with your own code - when the cookie is generated, it forgets to add the "RememberMe" property to the new cookie, and this makes the new cookie not permanent.



I think this was resolved in version 2.2, but that version hasn't gone to production yet. And unfortunately I can't find the original bug report for this now.

+1


source






More articles:


All Articles