Configuring "Remember me" for logins

To enable the "Remember me" functionality for logins in LiSA (when logging in to the LiSA backend and also via the login controls on the front-end), some steps need to be followed.

1. Machine keys

What are the machine keys and what do they do?  From the MSDN documentation:

"Configures algorithms and keys to use for encryption, decryption, and validation of forms-authentication data and view-state data, and for out-of-process session state identification."

By default, the machine keys are unique for each application/website and are auto-generated at every application start event.  This means that if the application pool of the website restarts (which happens about once every 24 hours by default), all session data and forms-authentication tickets become invalid and all users will have to login to the website again.

In order for sessions and forms-authentication tickets to "survive" app-pool/website restarts, the machine keys for the website need to be "fixed" so the website always uses the same keys.  If the website runs on multiple servers, they all need to share the same keys.

To provide fixed keys, you can use the IIS management interface to generate the keys and apply them to the web.config file.  The node which needs to be added is this one:

<machineKey decryptionKey="YOUR-DECRYPTION-KEY" validationKey="YOUR-VALIDATION-KEY" />

and it needs to be located within the <system.web> node.

2. Forms-auth cookie settings

Next is to make sure that the .ASPXAUTH cookie which is set by the .NET framework is properly configured.  It should be set to a sliding expiration, which means that the expiry date is reset and extended at every request.  It will then only expire if there has been no activity by the user during the entire expiry time.  You can set it to a "far-future" value, like 259200 minutes (six months) or really whatever value you like.  In that case, the cookie would only expire if the user has not accessed the website for 6 months - in which case, the user would have to re-authenticate.

Locate the <forms /> node under the <authentication /> node in the web.config file and it should look like the following:

<forms loginUrl="lisa/Login.aspx" defaultUrl="lisa/Default.aspx" slidingExpiration="true" protection="All" timeout="259200" path="/" />

You can of course adjust the timeout value like you wish.

3. Make sure "Allow remember me" is enabled (applicable for the front-end login controls)

The following only applies to the front-end login controls.  The "Remember me" functionality for the LiSA backend login form is always enabled.

If the "Allow remember me" functionality is not enabled, the forms-auth cookie will only be set as a "session cookie", so it will expire if the user closes and re-launches his/her webbrowser.

Once enabled, make sure that the XSLT template/Razor view used for the login control correctly outputs a checkbox which gives the user the option to check if he/she wants to be remembered.

The checkbox needs to have the name "RememberMe" and the checked value should be "on", like so:

<input type="checkbox" name="RememberMe" value="on" />



Mailing list

Get notified when new versions of LiSA are released!

Check the box next to the list you wish to register to.