Products

Solutions

Resources

Partners

Community

Blog

About

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen

HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...DNN.com "Remember Me" Login Option - Ridiculous!DNN.com "Remember Me" Login Option - Ridiculous!
Previous
 
Next
New Post
1/9/2008 9:58 PM
 

In this case the issue is specific to asp.net 2.0 forms authentication cookies, so any site that doesn't use asp.net 2.0 doesn't have the problem, and asp.net 2.0 sites that use other authentication methods such as passport/liveid/openid/ldap etc. don't have the problem. Other sites get around this by building in custom code to reevaluate the user credentials at key points e.g. at the point of purchase or whilst reviewing past purchase records etc. Finally,most sites do not allow you to post text that get's stored e.g. they only allow you to browse and purchase, and if you do enter text it's items such as your own creditcard details which are not echoed back onto the screen. Sites that operate bulletin boards, forums, blogs etc, which allow users to post text/html etc. are targets for hackers who can use these areas to try XSS attacks e.g. this site had a succesful XSS hack a number of months back, but due to the low expiration time, vigilant users, and the httponly protection built into the core, only a dozen or so accounts were exploited, rather than much more. On this basis alone I would not be keen on increasing the timeout.

Cathal


Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
New Post
1/9/2008 10:37 PM
 

Thanks, sir.  I'm with you.

I would have thanked you a bit sooner, but I swear I had to login again and had to clear the SSL popup. :)

 

 
New Post
1/10/2008 12:26 AM
 

Cathal,

I'm wondering if there's anyway a 'secure' cookie can be used like my bank does? Granted, right now they only use it for Card #'s, but I'm assuming it could be used with the password as well? Though I'm not sure what language they use for their website:

https://www.rbcroyalbank.com/onlinebanking/remember_my_card/about.html

Just throwing that out there...

 
New Post
1/10/2008 1:57 PM
 

BfA,

your bank is simply using encrypted cookies. Our issue is specifically with asp.net 2.0 forms authentication cookies. We could stop using these and switch to convential cookies (using encryption of course), but this would be a breaking change and would require any alternative login modules and authentication providers to be updated, so it's not a good design decision. If we were starting from scratch it's the approach that we would probably take , but we have to respect the existing implementations out there.

Cathal


Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
New Post
3/21/2008 9:32 AM
 

I think this is a great example of a development community being overcome by their sense of security obligation.

Getting back to the fundamentals, some could say that an advertised feature "Remembering Login" is broke, crippled, non-functional... I prefer to say it simply fails to meet expectations.

If the concern then is risk, this risk needs to be shouldered by hosters... the dev community is only getting in the way by trying to shoulder this responsibility for hosters, and I believe for many, the choosen course of action has fallen short of what many hosters would like to have.

Thats my 2 cents. I personally find the current scheme annoying as heck.

 
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...DNN.com "Remember Me" Login Option - Ridiculous!DNN.com "Remember Me" Login Option - Ridiculous!


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out