The default LogOn ActionResult uses LogOn.aspx and looks like this:
[AcceptVerbs(HttpVerbs.Post)]
[System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Design", "CA1054:UriParametersShouldNotBeStrings",
Justification = "Needs to take same parameter type as Controller.Redirect()")]
public ActionResult LogOn(string userName, string password, bool rememberMe, string returnUrl)
{ if (!ValidateLogOn(userName, password)) { return View(); }
FormsAuth.SignIn(userName, rememberMe); // true or false (user is given a choice via <%= Html.CheckBox("rememberMe") %>)
FormsAuth.SignIn(userName, false); // force always
false, never remember
I have changed rememberMe to the constant false to disable this feature.
Note: that is the only code that I have changed. This is still for all intents and purposes the do nothing application that is immediately available after creating a new ASP.NET MVC Web Application.
PROBLEM: even though I have disabled the rememberme "feature",
after I close the web page, then shut down VS2008 and
restart VS2008 and retest my ASP.NET MVC v1.0 default
application, the last logged on user is still logged on.
I am guessing that this is caused by a cookie that will time out.
I hope so.
QUESTION: how can the above behaviour be prevented?
Thank you.
Regards,
Gerry (Lowry)
MVCLogOn.apsxrememberMeLogOn
B-) Please help me by completing my school survey about computer programmers on my website. Thank you!!! Gerry Lowry +1 705-429-7550 wasaga beach, ontario, canada
even though I have disabled the rememberme "feature",
after I close the web page, then shut down VS2008 and
restart VS2008 and retest my ASP.NET MVC v1.0 default
application, the last logged on user is still logged on.
You have to delete cookie from your browser too. I think that this could be easily done by
Logout clicking in your application...
Don't forget to click "Mark as Answer" on the post that helped you.
Hi Augi ... problem is I do not want the cookie to be created in the first place.
Or, if for some reason in the ASP.NET MVC architecture (or ASP.NET in general) the cookie must be created, I would prefer it not persist the login beyond the "session".
Also, since AFAIK, end users can disable cookies altogether, I would rather not have cookies used.
I do not pretend to have the kind of in depth understanding to the APS.NET MVC architecture that Brad Wilson et al have. So much happens behind the scenes that it amazes me. Also, often things that happen behind the curtains are not even from ASP.NET MVC
itself. LogOn/LogOff use of the default membership provider falls into this later category. For me, the lines between ASP.NET MVC and the things that ASP.NET MVC "talks to" are still very blurry.
MORE INFORMATION
My concern is this. Person A uses my application and forgets to log off. Later Person B, using Person A's computer (with permission) accesses my site. From any data that I log, it will appear that Person A actually did the work that was done by Person
B.
Disabling "remember me" will not eliminate this problem entirely. Example: Person A goes to lunch and lets Person B do her/his job until Person A returns from lunch. I know the "perfect" system is for all intents and purposes an impossible goal; nevertheless,
the closer that I can get to the "perfect" system, the better.
Thank you.
Gerry
B-) Please help me by completing my school survey about computer programmers on my website. Thank you!!! Gerry Lowry +1 705-429-7550 wasaga beach, ontario, canada
You can set the cookie timeout explicitly to a very short time, if you like, Gerry. Something like explained here: http://blog.jitbit.com/2009/07/aspnet-forms-authentication-remember-me.html but with the intent of letting it die quickly.
Help those who have helped you... remember to "Mark as Answered"
I think the ideal would be not to involve
cookies at all ... after all, people can
disable cookies on their computers AFAIK.
Unfortunately source code for ASP.NET membership
is not available even though ASP.NET MVC source
code has been made available.
Does anyone know how the ASP.NET membership
handles this when the end user has turned off cookies?
g/
B-) Please help me by completing my school survey about computer programmers on my website. Thank you!!! Gerry Lowry +1 705-429-7550 wasaga beach, ontario, canada
I just tried this on ASP.NET MVC 1.0 and using IE7 as my browser and I got the expected behavior. I created a new account, closed my browser, and then visited the site again and I was not logged in. I then manually logged in, closed the browser, and opened
it again, and once again I was not logged in.
The "false" parameter that Gerry was using is a parameter that indicates that ASP.NET's Membership functionality should use a
session cookie instead of a persistent cookie. In other words, with "false" once you close the browser window the cookie goes away.
You shouldn't need to change anything in web.config to get this behavior.
The only reasons I can think of this not working are either that the web browser is busted or that as another posted suggested, there might have been an older cookie from a previous session that was already marked as persistent.
My mistake. Gerry asked about scenarios when users have cookies disabled in their browser; my understanding was that when a browser disables cookies entirely, then you keep neither session cookies nor persistent cookies. The way I read this article:
http://msdn.microsoft.com/en-us/library/aa479314.aspx, it sounded like that was the case.
Are you saying that browsers w/o cookie support, or those that have cookies turned off will still pass cookies back to the server, they just won't save them? That doesn't quite make sense to me, but it's probably my ignorance.
Help those who have helped you... remember to "Mark as Answered"
I just tried this on ASP.NET MVC 1.0 and using IE7 as my browser and I got the expected behavior. I created a new account, closed my browser, and then visited the site again and I was not logged in. I then manually logged in, closed the browser, and opened
it again, and once again I was not logged in.
Thanks,
Eilon
Hi Eilon,
I'm not sure I can reproduce it ... it could be random ... it could be me.
I more or less did what you describe above and my results were different.
Later, my results are similar to yours.
Thank you and Paul for your input.
So much to do; so little time. B-(
Gerry
B-) Please help me by completing my school survey about computer programmers on my website. Thank you!!! Gerry Lowry +1 705-429-7550 wasaga beach, ontario, canada
gerrylowry
All-Star
20577 Points
5721 Posts
? how to disable "remember me" from ASP.NET MVC v1.0 LogOn
Oct 05, 2009 02:07 PM|LINK
The default LogOn ActionResult uses LogOn.aspx and looks like this:
[AcceptVerbs(HttpVerbs.Post)]
[System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Design", "CA1054:UriParametersShouldNotBeStrings",
Justification = "Needs to take same parameter type as Controller.Redirect()")]
public ActionResult LogOn(string userName, string password, bool rememberMe, string returnUrl)
{ if (!ValidateLogOn(userName, password)) { return View(); }
FormsAuth.SignIn(userName, rememberMe); // true or false (user is given a choice via <%= Html.CheckBox("rememberMe") %>)
FormsAuth.SignIn(userName, false); // force always false, never remember
I have changed rememberMe to the constant false to disable this feature.
Note: that is the only code that I have changed. This is still for all intents and purposes the do nothing application that is immediately available after creating a new ASP.NET MVC Web Application.
PROBLEM: even though I have disabled the rememberme "feature",
after I close the web page, then shut down VS2008 and
restart VS2008 and retest my ASP.NET MVC v1.0 default
application, the last logged on user is still logged on.
I am guessing that this is caused by a cookie that will time out.
I hope so.
QUESTION: how can the above behaviour be prevented?
Thank you.
Regards,
Gerry (Lowry)
MVC LogOn.apsx rememberMe LogOn
Augi
Contributor
6730 Points
1142 Posts
Re: ? how to disable "remember me" from ASP.NET MVC v1.0 LogOn
Oct 05, 2009 02:19 PM|LINK
gerrylowry
All-Star
20577 Points
5721 Posts
Re: ? how to disable "remember me" from ASP.NET MVC v1.0 LogOn
Oct 05, 2009 03:56 PM|LINK
Hi Augi ... problem is I do not want the cookie to be created in the first place.
Or, if for some reason in the ASP.NET MVC architecture (or ASP.NET in general) the cookie must be created, I would prefer it not persist the login beyond the "session".
Also, since AFAIK, end users can disable cookies altogether, I would rather not have cookies used.
I do not pretend to have the kind of in depth understanding to the APS.NET MVC architecture that Brad Wilson et al have. So much happens behind the scenes that it amazes me. Also, often things that happen behind the curtains are not even from ASP.NET MVC itself. LogOn/LogOff use of the default membership provider falls into this later category. For me, the lines between ASP.NET MVC and the things that ASP.NET MVC "talks to" are still very blurry.
MORE INFORMATION
My concern is this. Person A uses my application and forgets to log off. Later Person B, using Person A's computer (with permission) accesses my site. From any data that I log, it will appear that Person A actually did the work that was done by Person B.
Disabling "remember me" will not eliminate this problem entirely. Example: Person A goes to lunch and lets Person B do her/his job until Person A returns from lunch. I know the "perfect" system is for all intents and purposes an impossible goal; nevertheless, the closer that I can get to the "perfect" system, the better.
Thank you.
Gerry
paul.vencill
Contributor
6716 Points
1358 Posts
Re: ? how to disable "remember me" from ASP.NET MVC v1.0 LogOn
Oct 06, 2009 04:51 AM|LINK
You can set the cookie timeout explicitly to a very short time, if you like, Gerry. Something like explained here: http://blog.jitbit.com/2009/07/aspnet-forms-authentication-remember-me.html but with the intent of letting it die quickly.
gerrylowry
All-Star
20577 Points
5721 Posts
Re: ? how to disable "remember me" from ASP.NET MVC v1.0 LogOn
Oct 06, 2009 07:11 AM|LINK
Thank you Paul ... very interesting link ...
I think the ideal would be not to involve
cookies at all ... after all, people can
disable cookies on their computers AFAIK.
Unfortunately source code for ASP.NET membership
is not available even though ASP.NET MVC source
code has been made available.
Does anyone know how the ASP.NET membership
handles this when the end user has turned off cookies?
g/
Eilon
Contributor
5753 Points
976 Posts
Microsoft
Re: ? how to disable "remember me" from ASP.NET MVC v1.0 LogOn
Oct 06, 2009 04:50 PM|LINK
Hi Gerry,
I just tried this on ASP.NET MVC 1.0 and using IE7 as my browser and I got the expected behavior. I created a new account, closed my browser, and then visited the site again and I was not logged in. I then manually logged in, closed the browser, and opened it again, and once again I was not logged in.
Thanks,
Eilon
paul.vencill
Contributor
6716 Points
1358 Posts
Re: ? how to disable "remember me" from ASP.NET MVC v1.0 LogOn
Oct 06, 2009 06:05 PM|LINK
afaik, you have to tell the app in the web.config not to use cookies. If you do, it puts a fugly key in the URL. Not the best way to go...
Unfortunately, your options are limited to cookies, URL, or else doing form posting all the time. Of the three, cookies are the best choice, imo.
Eilon
Contributor
5753 Points
976 Posts
Microsoft
Re: ? how to disable "remember me" from ASP.NET MVC v1.0 LogOn
Oct 06, 2009 08:52 PM|LINK
Paul, that's not exactly true.
The "false" parameter that Gerry was using is a parameter that indicates that ASP.NET's Membership functionality should use a session cookie instead of a persistent cookie. In other words, with "false" once you close the browser window the cookie goes away.
You shouldn't need to change anything in web.config to get this behavior.
The only reasons I can think of this not working are either that the web browser is busted or that as another posted suggested, there might have been an older cookie from a previous session that was already marked as persistent.
Thanks,
Eilon
paul.vencill
Contributor
6716 Points
1358 Posts
Re: ? how to disable "remember me" from ASP.NET MVC v1.0 LogOn
Oct 06, 2009 09:12 PM|LINK
Eilon,
My mistake. Gerry asked about scenarios when users have cookies disabled in their browser; my understanding was that when a browser disables cookies entirely, then you keep neither session cookies nor persistent cookies. The way I read this article: http://msdn.microsoft.com/en-us/library/aa479314.aspx, it sounded like that was the case.
Are you saying that browsers w/o cookie support, or those that have cookies turned off will still pass cookies back to the server, they just won't save them? That doesn't quite make sense to me, but it's probably my ignorance.
gerrylowry
All-Star
20577 Points
5721 Posts
Re: ? how to disable "remember me" from ASP.NET MVC v1.0 LogOn
Oct 09, 2009 04:23 AM|LINK
Hi Eilon,
I'm not sure I can reproduce it ... it could be random ... it could be me.
I more or less did what you describe above and my results were different.
Later, my results are similar to yours.
Thank you and Paul for your input.
So much to do; so little time. B-(
Gerry