|
|
Mar
31
Posted by:
cathal connolly
3/31/2008 9:14 PM
Ever since the 4.x releases of DotNetNuke theres been a long standing issue with the behaviour of temporary and persistent cookies where there wasn't a way to set short periods of temporary cookie expiration and to specify longer periods for user who don't want to regularly log in. This was caused by a change in the way asp.net 2.0 handles the different types of authentication cookies (for the full background on this see http://www.dotnetnuke.com/Community/Blogs/tabid/825/EntryID/1704/Default.aspx) .
After a few attempts, and with a helpful hint from Don Worthley, we finally got code in the 4.8.1 release that addresses this problem, and recently updated the dotnetnuke.com configuration to take advantage of this. At the minute if you log into dotnetnuke.com, but don't check the "remember me" checkbox a temporary cookie is created with a timeout of 2 hours. If you check the "remember me" checkbox, a persistant cookie is created with a timeout of 2 weeks. To work around this limitation of asp.net 2.0, we added a new web.config key, PersistentCookie, that get's read during login and some custom code then updates the cookie values approriately if "remember me" has been selected. This allows site owners to select values that allow for security for temporary users and convenience for those who want persistent cookies..
If you want to make similar changes to your own site, edit your web.config and update the following nodes to whatever value you require (the approriate fields are identied in bold below - all values are in minutes i.e. 60 minutes*24 hours*14 days=20160).
<forms name=".DOTNETNUKE" protection="All" timeout="120" cookieless="UseCookies" />
<add key="PersistentCookieTimeout" value="20160" />
26 comment(s) so far...
Re: a new solution to an old problem
Great work Cathal!
By messmail on
3/31/2008 10:43 PM
|
Re: a new solution to an old problem
Great work :)
By AdefWebserver on
3/31/2008 11:58 PM
|
Re: a new solution to an old problem
Thanks for the update, Cathal! And thanks for the tip, Don!
By dagilleland on
4/1/2008 11:48 AM
|
Re: a new solution to an old problem
thanks cathal!
By nghile on
4/1/2008 11:48 AM
|
Re: a new solution to an old problem
You the man!
By tmaler on
4/1/2008 12:31 PM
|
Re: a new solution to an old problem
Thanks for solution Cathal, just a liltle note: 60*24*12= 17280 and not 20160, or am I missing something?
By ant.mac on
4/1/2008 5:40 PM
|
Re: a new solution to an old problem
@ant.mac, it was a typo, i've updated the text to show it was 14 (as in 2 weeks)
By cathal on
4/1/2008 5:42 PM
|
Re: a new solution to an old problem
Finally I can stop hearing complaints about my users being logged out ever day. Since I have mostly public sites but with a few select user only content. It will be helpful to set a long persistant cookie option. Thanks for the work and resolution. :)
By keeperofstars on
4/2/2008 5:21 PM
|
Re: a new solution to an old problem
I've made this change to my site and it works great. I remain logged in not matter what I do. Unfortunately, I can't log out now either. I need to log in as the host user but I can't log out the admin user. Any idea on what I need to do?
By Jeff Reddy on
2/17/2010 7:06 PM
|
Re: a new solution to an old problem
@Anthony, no we never echo stored credentials as that would be a security risk. In addition, if a site has elected to use hashed passwords there is no way to retrieve that password.
By cathal connolly on
3/27/2010 4:04 PM
|
Re: a new solution to an old problem
@nonprofit - you're not doing anything wrong - remember me persists the cookie, not the username/password - it means if you return you will still be logged in. If you're not I'd check to see if you are running any security software such as norton internet security that might be blocking cookies.
By cathal connolly on
1/26/2010 10:43 PM
|
Re: a new solution to an old problem
@jeff reddy, just press the logout link, it deletes the relevant user cookie
By cathal connolly on
2/17/2010 1:44 PM
|
Re: a new solution to an old problem
@iadalang, if you disable the remember me chechbox a persistent cookie cannot be created, so the PersistentCookieTimeout setting value is never used. As you're only creating temporary cookies they will take their timeout value from the forms node timeout value.
By cathal on
6/2/2008 11:02 AM
|
Re: a new solution to an old problem
@makkabokka, no, it was only added in 4.8.1 - the code's pretty straightforward though (it's only about 20 lines), so you might consider backporting it.
By cathal on
7/11/2008 10:55 AM
|
Re: a new solution to an old problem
@Matthew -yes cookies are expired on logout. Blank username's are expected, autocomplete is disabled for login forms.
By cathal connolly on
8/12/2009 4:27 PM
|
Re: a new solution to an old problem
@nneves. i've tested and this does work in 4.9.4, please post you issue in the forums to get further help
By cathal connolly on
10/19/2009 5:48 PM
|
Re: a new solution to an old problem
If only we could do that for all of our server side cookies...
By hismightiness on
7/11/2008 10:54 AM
|
Re: a new solution to an old problem
Cathal, so the persistent cookie is destroyed when they hit the logout link? I've tried the IIS restart, and i'm still getting a blank username.
Is it possible that it might have something to do with the skin?
By Matthew Cushing on
8/12/2009 4:10 PM
|
Re: a new solution to an old problem
Will this work for 4.5.5? Thanks
By makkabokka on
7/11/2008 10:54 AM
|
Re: a new solution to an old problem
How will the PersistentCookieTimeout setting affect me in case I have completely disabled the remember me checkbox completely? Will my site then only use the temporary cookie with a default timeout of 2 hours (unless I change that also)?
By iadalang on
6/2/2008 11:01 AM
|
Re: a new solution to an old problem
I am using DNN 5.2.1 and I have made the following changes to the web.config file.
forms name=".DOTNETNUKE" protection="All" timeout="120" cookieless="UseCookies" />
I then logged into the web site and clicked remember me.
I then logged out.
I did not close my browser & then I clicked on login again - my username and password are still blank - ie I see no change.
What am I doing wrong?
Judy
By nonprofit on
1/26/2010 10:41 PM
|
Re: a new solution to an old problem
nice, but what was was expecting frankly, was that when users check the 'remember login' checkbox, the next time they log in the account information (username and password) is filled in automatically for them. Is this scenario possible with DotNetNuke?
Thanks for your contribution Cathal,
Anthony
www.webmove.be
Belgium
By Anthony Candaele on
3/27/2010 4:03 PM
|
Re: a new solution to an old problem
this does not work in version 4.9.4 of dnn.
Does anybody know a solution?
By nneves on
10/19/2009 5:46 PM
|
Re: a new solution to an old problem
I've made this change to my site and it works great. I remain logged in not matter what I do. Unfortunately, I can't log out now either. I need to log in as the host user but I can't log out the admin user. Any idea on what I need to do?
By Jeff Reddy on
2/17/2010 1:44 PM
|
Re: a new solution to an old problem
I wrote a simple module that may assist users updating the values Cathal mentions. It allows you enter separate values for PersistentCookieTimeout and Forms Timeout.
It is available for download as a PA for DNN 5.1 or greater at www.dws.ie/Blog/tabid/68/articleType/ArticleView/articleId/3/Remember-Me.aspx
By Declan Ward on
5/14/2010 4:49 PM
|
Re: a new solution to an old problem
Can I set the Remember Me box to be checked by default?
By cconser on
6/14/2010 10:02 AM
|
|
|