Remember me on this computer. What is it supposed to do?
I have tried logging into my Sitefinity web site with the Remember me on this computer checkbox checked and unchecked. Either way I still get the same cookies created on my browser. And if I shut down the browser and reopen it I am still logged in. The session timeout appears to be set by the Administration-Settings-Advanced-Security-AuthCookieTimeout regardless of whether the checkbox is checked or not. And when I log out and come back to the login screen the username field is not
populated with the username.
So what exactly is the point of the Remember me on this computer checkbox? What is it supposed to do?
Hello,
Thank you for contacting us.
I checked the log in form and indeed the "Remember me" functionality has an issue. I have logged a bug internally and it will be fixed for the next releases with higher priority because it is a regression.
Remembering your user name and password in the input fields is browser functionality and we can't do anything there. Please check your browser settings if it has enabled functionality for saving form data.
I know this is an old thread but we are using a very recent version of Sitefinity and seeing this same behaviors in Chrome. Regardless of if the remember me is checked or not the user is remembered. Then on other machines the user is never remembered. Was this bug actually fixed?
Hello,
Such issue is no longer present in Sitefinity. Can you please check whether you have the option AuthCookieIsPersistent checked in Administration -> Settings -> Advanced -> Security. Furthermore are you experiencing the same behavior on other browsers. Have you deleted your cookies and cache before attempting the tests?
Furthermore you can check out this blog post about Sitefinity Authentication Expiration for further information on the topic.
Regards,
Velizar Bishurov
Telerik
What version of Sitefinity is the fix in? I am on Sitefinity 7.0.5100.0 Enterprise Edition.
I am seeing the exact same behavior whether or not the Remember Me checkbox is checked. If AuthCookieIsPersistent is checked, then I am not logged out even if I close my browser and re-open it. If AuthCookieIsPersistent is not checked, then if I close my browser, I am always logged out.
Is there some other setting I'm missing?
Edit:
Also, I looked at www.sitefinity.com/.../sitefinity-authentication-expiration but I'm still not clear on what the expected behavior is if the user checks the checkbox. Can you explain what behavior I should be seeing if the checkbox is checked?
When the persistent is checked then like Bo you are never logged out no matter what. I uncheck that in the backend and then remember me does nothing - I'm never remembered. I have a support ticket open.
Hi,
In general, when you click the "remember me" - i.e. the checkbox is clicked you are to be remembered as long as your cookies are present (until you delete them). This means that you should remain logged in after browser restarts. If it is unchecked this means that the moment your session ends (either browser close or due to inactivity) your cookie is deleted and you are no longer logged in.
There are settings in the backend that control this behavior and you can modify them to suit best your scenario. By going to Administration -> Settings -> Advanced -> Security you can see the settings "BackendUsersSessionTimeout" and "AuthCookieIsPersistent". The first controls how long the cookie will keep the person logged in the backend and the second makes cookie persist through session no matter of the checkbox's state. However, it should be noted that Sitefinity has no control over how browser manages cookies. This means that Sitefinity only tells the browser to set or unset a cookie. What the browser does after that is beyond Sitefinity's control. This is why before jumping on conclusion you should always test the behavior on different browsers and/or different machines.
Furthermore, it has been noted that in some very rare cases the ISP has a very aggressive caching strategy and interferes with the cookie duration. This is why it is also recommended to test this on different networks as well.
Regards,
Velizar Bishurov
Telerik
Here's some more information I discovered while investigating this.
When I check "Remember me on this computer" and log in, one cookie is created that is not created when I do not check the checkbox. It is .ASPXAUTH. So it does appear that the checkbox does something. However, the frontend does not seem to respect it.
In addition, here's a weird scenario that I discovered:
1. I check the "Remember me on this computer" checkbox and log in.
2. I restart my browser.
3.
I visit a frontend page that has the permission setting "Denied Users:
Anonymous". I am redirected to the login page and it appears that I am
not logged in. I do not log in.
4. I visit the Sitefinity backend which shows that I am logged in.
5. I visit a frontend page again and now I am logged in!
This seems like a bug.
I got confirmation from Support that this is a bug. Here's the Feedback portal item tracking it: feedback.telerik.com/.../142653-remember-me-checkbox-on-the-frontend-login-widget-do-not-shows-the-user-as-logged
The only workarounds I can think of for now is to hide the "Remember me on this computer" checkbox since it doesn't do anything. Then I can either set "AuthCookieIsPersistent" to true (which means all logins will persist through a browser restart) or set it to false (which means no login will persist across a browser restart).
I think setting AuthCookieIsPersistent to true is not going to work for me because we do not want our clients' customers to close the browser while still logged in and then someone can open the browser behind them and discover the customer is still logged in.
I have voted for the bug. My support incident is on-going and they had not recognized a bug. I did turn the persistent on for now as well. Thanks for getting involved in this one and sharing your findings.
Hi Bo - just FYI they were able to reproduce the issue finally and have escalated the bug. The workaround for now is to use the persistent cookies. Basically if you have your frontend login page set to anything then remember me doesn't really work - it will always send you to login:
From tech: "I have made some additional tests on my end. I have also consulted with the colleague that has logged this bug. I was able to reproduce the problem only in one specific scenario. This problem can be reproduced only if FrontEndLoginPageUrl is set from Adminstration-> Settings -> Advanced -> Project -> DefaultSite. In this scenario the user will be always redirected to the page where login widget is placed. Please accept my sincere apologies for the inconvenience."