1

I'm trying to understand if this makes sense:

1. User logs in, checks "remember me" checkbox.
2. User logs out.
3. User comes back and is automatically logged in.

Basically, that's exactly what you'd expect to happen. This means it's working. Here's where it gets a little weird:

1. User logs in, checks "remember me" checkbox. (Or logs in using remember me.)
2. User is inactive for over 20 minutes, so the session times out.
3. User clicks a link and is sent to the sign in page.  
4. User closes browser, then opens again.  They are taken to the sign in page.

It would seem that "Remember Me" is turned off for this user when their session expires due to inactivity. I've tried to find something about this in the documentation, but to no avail. If this is expected behavior then that's cool, but I'd like to confirm.

We're using the Sitecore.Security.Authentication manager to set the cookie in the first place.

Josh C
  • 341
  • 1
  • 6
  • 23
  • I think in most apps the 'remember me' cookies are removed when the user logs off - this is the intended behaviour, and for me the logical one too. – Adam Hopkinson Oct 04 '12 at 11:29
  • I thought so, too, but I couldn't find any documentation to confirm that. (Or to contradict it, either.) – Josh C Oct 04 '12 at 20:32

2 Answers2

1

In my experience, the "remember me" function has never worked properly.. Seems to be a bug that has been there forever. I usually just let my browser store the login information for Sitecore if it's too difficult to remember.

Ruud van Falier
  • 8,765
  • 5
  • 30
  • 59
1

First of all, it is important to know that even the "remember-me" token has validation: the "cookie" expires after some time, and it is configurable, even though it has a default value. You need to check the default value.

Secondly, due to Single-Sign-Out, the "remember-me" cookie suppose to be removed after signing-out (just as @adam said in his comment). Remember me remembers the user across sessions, but not if he logged out. Think of it this way: if you have your Facebook or Google account, and you signed in after clicking the "remember-me". Then you log off, and come back again. You will be asked for your credentials again! (If it is not you who tries to log-in? do you want Facebook to remember you even after you have signed out?)

The practical use of remember me is this: you log-in to a web-site, then close your browser (without logging-out!), and by closing the browser you "lose" the session. When you reopen the browser, you get a new session. Then the remember-me comes into work: you will have access to the website without the need to enter credentials again.

Community
  • 1
  • 1
OhadR
  • 8,276
  • 3
  • 47
  • 53