Programatically Logging in a User

[Jonathan Wood]

I'm writing code to log in a user without using the standard Login control.

The following code seems to do the trick.

if (Membership.ValidateUser(txtUserName.Text, txtPassword.Text))
FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, true);

But I don't get why.

Membership.ValidateUser() tells me if the credentials are valid but appears
not to actually log the user in.

FormsAuthentication.RedirectFromLoginPage() appears that it DOES log the
user in. But the docs don't seem to say anything about that:

"The RedirectFromLoginPage method redirects to the URL specified in the
query string using the ReturnURL variable name. For example, in the URL
http://www.contoso.com/login.aspx?ReturnUrl=caller.aspx, the
RedirectFromLoginPage method redirects tothe return URL caller.aspx. If the
ReturnURL variable does not exist, the RedirectFromLoginPage method
redirects to the URL in the DefaultUrl property."

My question is: Does anyone know if this is the "preferred" way to log in a
user without using the Login control. And if RedirectFromLoginPage logs a
user in, does anyone know why this wasn't documented?

Thanks.

 

[Gregory A. Beamer]

FormsAuthentication.RedirectFromLoginPage() appears that it DOES log the
user in. But the docs don't seem to say anything about that:

It does not directly, but look at the signature:

public static void RedirectFromLoginPage(
string userName,
bool createPersistentCookie,
string strCookiePath
)

The only reason to create a cookie is to track the user, so this does log
the user in at this time. I am not sure this is the best design, but since
you are in control of the code, you can determine whom to redirect and whom
not to.

Peace and Grace,

 

[Jonathan Wood]

It still seems like the docs would mention that the user is logged in, as
that is the end result.

BTW, I noticed that the createPersistentCookie flag appears to mean logging
back in is not required for, maybe, 20 minutes. Does anyone know how to
increase this amount of time?

 

[Guest]

I'm writing code to log in a user without using the standard Login control.

The following code seems to do the trick.

if (Membership.ValidateUser(txtUserName.Text, txtPassword.Text))
    FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, true);

But I don't get why.

Membership.ValidateUser() tells me if the credentials are valid but appears
not to actually log the user in.

It looks like the description on MSDN site is not correct. They said
"Membership.ValidateUser: Verifies that the supplied user name and
password are valid.", while I think they need to mention that this is
also "Authenticates a user using supplied credentials." like this
stays here: http://msdn.microsoft.com/en-us/magazine/cc163703.aspx

 

[Jonathan Wood]

It looks like the description on MSDN site is not correct. They said
"Membership.ValidateUser: Verifies that the supplied user name and
password are valid.", while I think they need to mention that this is
also "Authenticates a user using supplied credentials." like this
stays here: http://msdn.microsoft.com/en-us/magazine/cc163703.aspx

Based on my tests, Membership.ValidateUser does not authenticate. It only
tells you if the login is valid. So I think the MSDN documentation is
correct there. However, I think the MSDN documentation for
FormsAuthentication.RedirectFromLoginPage is incomplete.

The article you linked looks interesting though. I'll check that out.

Thanks.

Jonathan

 

[Gregory A. Beamer]

It still seems like the docs would mention that the user is logged in,
as that is the end result.

BTW, I noticed that the createPersistentCookie flag appears to mean
logging back in is not required for, maybe, 20 minutes. Does anyone
know how to increase this amount of time?

The main difference between cookies is this:

false = session cookie - deleted when browser is closed
true = persistent cookie - stays despite browser close

The persistent cookie is set to 30 minutes, by default, but can be extended
by the cookieTimeout attribute of the roleManager tag in web.config. This
can be a sliding amount of minutes, as set by the cookieSlidingExpiration
(true|False) in roleManager. The default for sliding is true, so it is
normal the user gets X minutes after his last hit and not just x minutes.

Peace and Grace,

 

[Jonathan Wood]

The main difference between cookies is this:

false = session cookie - deleted when browser is closed
true = persistent cookie - stays despite browser close

The persistent cookie is set to 30 minutes, by default, but can be
extended
by the cookieTimeout attribute of the roleManager tag in web.config. This
can be a sliding amount of minutes, as set by the cookieSlidingExpiration
(true|False) in roleManager. The default for sliding is true, so it is
normal the user gets X minutes after his last hit and not just x minutes.

Right. But for more relaxed security requirements, I'd like to implement a
*real* remember me checkbox along the lines of sites like Facebook where
users don't have to log in for many days or even months. (The "remember me"
option used by the Login control seems rather pointless.)

I'll check out the cookieTimeout attribute; however, it sounds like that's
in minutes, which may not sufficiently address what I'm trying to do here.
I'm just wondering if the ASP.NET membership can support a real remember me
option, or if I just need to implement it myself.

Thanks.

Jonathan

 

[Gregory A. Beamer]

Right. But for more relaxed security requirements, I'd like to
implement a *real* remember me checkbox along the lines of sites like
Facebook where users don't have to log in for many days or even
months. (The "remember me" option used by the Login control seems
rather pointless.)

Store your own cookie and log them in using the same mechanism if the
cookie is present. That is essentially what other sites do for "remember
me". If you don't think so, then delete all cookies and go back to one of
those sites.

Peace and Grace,

 

[Jonathan Wood]

I believe you. I was just trying to figure out if ASP.NET membership
included this functionality (being how they included it partially via the
"remember me" check box). If not (and it appears they don't) I'll need my
own cookie as you suggest.

Thanks.

 

[Gregory A. Beamer]

I believe you. I was just trying to figure out if ASP.NET membership
included this functionality (being how they included it partially via
the "remember me" check box). If not (and it appears they don't) I'll
need my own cookie as you suggest.

At one time, I thought that was the purpose too. And, you could make the
cookie last for a ridiculous number of minutes and have it serve that
purpose, if you needed to. But if you need a "forever" type of cookie, then
code your own.

Peace and Grace,