I don’t think EWL documentation ever really says how long users are logged in for, and if the login survives browser restartse/etc. It would be nice if it did, and it may be nice to be able to have some control over it. What if I want to make something like Facebook on a mobile device where you are logged in until the NSA zaps your computer with an electromagnetic ray?
I agree with this. I don’t know the best place for the documentation, but feel free to add it somewhere if you want.
Here are the places in the code you’d need to change:
Session duration, which affects both forms authentication and session state:
https://enduracode.kilnhg.com/Code/Ewl/Group/Canonical/Files/Standard%20Library/EnterpriseWebFramework/UserManagement/FormsAuthStatics.cs#22
Cookie setting, where you can make the cookie persistent by setting an expiration date:
https://enduracode.kilnhg.com/Code/Ewl/Group/Canonical/Files/Standard%20Library/EnterpriseWebFramework/UserManagement/FormsAuthStatics.cs#207
So you think if I wanted to have you enter your password every 6 months or something huge like a lot of mobile apps do, I’d specify that value in both those places? In the session state case, would a value that large have any meaning? It would obviously expire whenever the app pool recycled. I guess I’m not sure what you mean when you say it affects forms auth too - is that just because EWL uses it as a value for multiple things?
Yes.
Yes, that’s true. But no big deal unless you’re actually using session state for a lot of important stuff. I barely ever use it at all these days.
Yes, EWL uses it for two things: the session expiration and the forms auth ticket expiration. This latter expiration is different from the expiration of the cookie in which the ticket resides. You can have an expired ticket inside a still-active cookie.
Technically session state doesn’t have to be stored in memory.
So, this worked for me, but long-term it seems like there needs to be some sort of… RequiresLazySecurity (as opposed to RequiresEnhancedSecurity) to support the case where people log in on a mobile device and don’t expect to have to do it again for at least a month.