Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

RememberMe with DotNetOpenId in ASP.NET MVC

Using DotNetOpenAuth 3 in ASP.NET MVC and implementing a RememberMe facility ...

I'm finding that even if I set createPersistentCookie to true in FormsAuthentication.RedirectFromLoginPage and FormsAuthentication.SetAuthCookie the user is not remembered once the ASP.NET session times out.

If I inspect the cookie I find it is marked as persistent and does have an expiry date way in the future, I assume because I set my web.config FORMS timeout to a few years away. Anyhow, if the user closes the browser and re-opens it they are remembered correctly - as long as the ASP session hasn't timed out.

An older post of Scott Hanselmann's makes me wonder if it is because FormsAuthentication tries to renew the authentication ticket and maybe in an OpenId model that doesn't work but I have set FORMS SlidingExpiration="false" in web.config and anyway I thought that forcing a persistent cookie would make that stuff irrelevant.

I'm also wondering why the DotNetOpenId MVC sample doesn't include a RememberMe checkbox - maybe there's something tricky about it?

On the other hand, here at StackOverflow I see I am automatically remembered across sessions. Wondering whether they used something other than DotNetOpenId to do their OpenId authentication.

Anybody else done RememberMe successfully with DotNetOpenId in ASP.NET MVC? Any tricks?

[Update]

Thanks for trying to help, Andrew. Turns out this was not about DotNetOpenId.

I gather, after reading this, that my hosting provider is probably recycling the app pool regularly and that's causing the authentication ticket encryption to be done with a new machine key.

As per the preceding linked article I added the following under System.Web in my Web.Config and it resolved the issue:

<machineKey
    validationKey="(generated a new key to place here)"     
    decryptionKey="(generated a new key to place here)"
    validation="SHA1"
    decryption="AES" />
like image 221
Martin Avatar asked Apr 20 '09 13:04

Martin


1 Answers

Does the cookie name match in your web.config file and your controller's call to FormsAuthentication.SetAuthCookie? This may be a bug in the DNOI sample, but I suspect if you have a cookie name in your web.config file (as the DNOI sample does), then you probably have to set the cookie name as the third parameter to SetAuthCookie or RedirectFromLoginPage. Otherwise, forms auth doesn't recognize the persistent cookie you set as the login cookie.

like image 114
Andrew Arnott Avatar answered Oct 15 '22 10:10

Andrew Arnott