Logging in a user automatically



I'm having a little problem automatically logging a user in after we've forced them to change their password (as part of the login process).

This is what I'm doing at the moment:


Common.Settings.DefaultSecurity.AuthenticateUser("username", "password", out loggedInUser);

FormsAuthentication.SetAuthCookie("username", false);



AuthenticateUser returns true, an .EPiServerLogin cookie is added to the Response, and the user is redirected to the start page, but when they get there they get bounced back to the log in screen and the .EPiServerLogin cookie is removed, presumably because the auth cookie isn't accepted.

Does anybody know if the IUser.UserName is the right field to use when setting the auth cookie, or whether there is an EPiServer implementation of FormsAuthentication I should be using, or perhaps I have to create a custom FormsAuthenticationTicket with some specific fields which EPiServer requires?

Any help much appreciated,


Dec 06, 2011 12:25

Validating users: 
bool credentialsAreValid = System.Web.Security.Membership.ValidateUser(username, password);
// or
bool credentialsAreValid = System.Web.Security.FormsAuthentication.Authenticate(username, password);
// NOTE: Only verifies credentials, does not log user in

Authentication (logging in) a user:
EPiServer.Security.PrincipalInfo.CurrentPrincipal = EPiServer.Security.PrincipalInfo.CreatePrincipal(username); 

When using FormsAuthentication.SetAuthCookie("username",false) the "false" value indicates that the cookie should not be persisted. 
A cookie is deleted (invalidated) on the client when the user is logged out or when the cookie expires. Non-persisted cookies expire when the browser session ends.

Are you using HTTPS for the login page but HTTP for the pages visible to authenticated users? Do you have <forms .. RequireSSL="true"> in your web.config? If so, the cookie you set is invalidated when switching from HTTPS to HTTP during login.

Edited, Dec 14, 2011 12:26
This thread is locked and should be used for reference only. Please use the Episerver CMS 7 and earlier versions forum to open new discussions.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.