Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

asp.net 'Remember me' not working anymore with forms authentication

I have two websites with self written membership providers that are hostet on the same server in the same Web in different web-applications and different application pools.

Formerly I had the problem, that I could not log on on both sites together. Thanks to Remy's post, this works now, I had to add the name-attribute to the forms element.
But now I have the problem that the remember-me option of the asp login-control stopped to work. The user is logged off after the normal session-timeout.

The authentication-attributes in the web.config file look as follows:

<authentication mode="Forms" >
  <forms loginUrl="~/UserMgmt/Login.aspx" timeout="400000" slidingExpiration="true" name="NameOfTheSite"/>
</authentication>

Also have I set the cookie name for the forms authetication to different names.

Is there something else that I have to add, so that the remember-me feature works?

Update
I have observed that if I disable encryption and validation for the forms authentication-cookie, the problem is gone. If I either activate encryption, validation or both, the problem occurs newly.
I know also, that it's independent of the session-cookie names (they even could be identical). Maybe this information helps someone to figure out what's going on?

Update 1
Thanks to Jason Kealey for the solution to this problem. I would never had found it. In the meantime I've found the corresponding information in msdn. In How To: Configure MachineKey in ASP.NET 2.0 in the section "Web Farm Deployment Considerations" is written:

If you want to isolate your application from other applications on the same server, place the <machineKey> in the Web.config file for each application on each server in the farm. Ensure that you use separate key values for each application, but duplicate each application's keys across all servers in the farm.

like image 571
HCL Avatar asked Jan 18 '11 19:01

HCL


People also ask

Is form authentication deprecated?

Microsoft will deprecate Basic Authentication effective October 1, 2022.

Is form authentication secure?

Form-based authentication is not particularly secure. In form-based authentication, the content of the user dialog box is sent as plain text, and the target server is not authenticated.


2 Answers

The issue may be that you have validation keys that are automatically generated every time you launch the worker process. The cookie is encrypted, but when you come back a new server-side key is used and thus your cookie cannot be decrypted.

Check out the machineKey section http://msdn.microsoft.com/en-us/library/ff649308.aspx

Here is something that will generate the machineKey section for you http://www.qualitydata.com/products/aspnet-membership/help/configuration/no-machinekey.aspx

like image 190
Jason Kealey Avatar answered Oct 18 '22 18:10

Jason Kealey


Try set the domain name to be sure that the cookie of the remember is set correctly in all cases

<forms  path="/" domain="nameof.com" ...the rest
like image 30
Aristos Avatar answered Oct 18 '22 18:10

Aristos