Using cookies to auto-login a user in asp.net (custom login)

Question

i can't find on the net what i'm looking for so any help would be appreciated. I have implemented a custom login form where the user enters his email and password to log in. I then query the database with those credentials (password is hashed and salted) and if both are found then i store the UserID in the Session state. If the user closes the browser then the Session is lost so he would have to log in again. I learned about using cookies to implement the "Remember me" functionality but i don't know what should i be storing in the cookie for the auto-login process and to make it secure.

PS: I know what a cookie is and how it works. I also know that storing the user credentials (email + password) in a cookie is NOT advised. I'm using asp.net 4.0 with C#

Actually i'm looking for the logic behind the auto-login system using cookies.

Thanks!

Answer 1

You should just use FormsAuthentication to set the cookie:

FormsAuthentication.SetAuthCookie(theUserID, true); 

And then get it back:

string userId = HttpContext.Current.User.Identity.Name;

If you are worried about security, you can consider only using secure cookies (you will only be able to read that cookie over https).

There's more info on this in a related post: Manual Access control in ASP .Net

Update: According to your comment, you don't think you can set a Forms Authentication cookie in your custom login form. So I created a blank ASP.NET 4 project, where I created a custom login -- it will log in any unauthenticated user. Here are the three pieces:

The web.config (your project should have something similar since you have a form on your site where people login):

<authentication mode="Forms"></authentication>

The code front:

<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="default.aspx.cs" Inherits="emptyWebApp._default" %>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title>Example</title>
</head>
<body>
    <form id="form1" runat="server">
    <div>
     Username: <asp:Label ID="_username" runat="server"></asp:Label>
    </div>
    </form>
</body>
</html>

The code behind:

using System;
using System.Web;
using System.Web.Security;

namespace emptyWebApp
{
    public partial class _default : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {
            if (HttpContext.Current.User.Identity.IsAuthenticated)
            {
                _username.Text = HttpContext.Current.User.Identity.Name;
            }
            else
            {
                _username.Text = "Not logged in";
                FormsAuthentication.SetAuthCookie("CookieMan", true);
            }
        }
    }
}

As you can see, you can set an Authentication cookie using FormsAuthentication.SetAuthCookie in your own custom authentication function, even one as irrational as this.

In this case, the first time they hit the page, it will show Username: Not logged in and then it will log them in as "CookieMan". Refreshing the page will show Username: CookieMan.

Answer 2

I have found very good articles about this problem. I recommend to read them all!

• http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/
• Any gotchas I should be aware of regarding this approach to persistent logins ("Remember Me")?
• Best way for hashing a "remember me" cookie token
• The definitive guide to form-based website authentication
• What is the best way to implement "remember me" for a website?
• http://jaspan.com/improved_persistent_login_cookie_best_practice

Answer 3

Whenever I've done this I just make up some random "SessionId" guid and use that value.

If your code you can keep a list sessionId/UserId pairs and expire them as necessary.