Vulnerability in EPiServer.Forms
I have a relate site based on relate intranet templates (http://relateintranet.codeplex.com/). My Remember me box doesnt work. The auth cookie is only a session cookie. What may cause this?
Even EPi's demo site failes (http://relateintranet.episerver.com), but the "standard relate" demo site works. I have other sites running on the same IIS, but pure CMS 6 R2 installs which works perfactly. What I can see, the web.config is the same for the authentication part...
Have you set a timeout on the cookie? By default it has a very low timeout.
<forms name=".EPiServerLogin" loginUrl="login.aspx" defaultUrl="/" timeout="50000000"/>
Yes i have. The thing is that the cookie is sent as an session cookie by the server, i.e. without an experial date. I think i've checked "everything"...
Is there anything that may exist in the template's code that does something? I've been looking for something in the code, but i've not found anything.
Do you use the standard login page /util/login.aspx?
If you're using a custom login page you need to specify that the cookie should be persistant.
It's the standard page...
Hm.. Maybe i can attach to some event on FormsAuthentication to see what happens? Or maybe force the cookei to be a normal cookie, not a session cookie?
A control adapter is used to replace the ordinary login control. The open source project CSSFriendly is used and there seems to be an issue with "Remember Me".
One option is to skip using this control adapter and instead use the ordinary control. Open the file CSSFriendlyAdapters.browser located in the Circuit.RelatePlus.Intranet.Web project in the App_Browsers folder. Remove the adapter for System.Web.UI.WebControls.Login:
<!--<adapter controlType="System.Web.UI.WebControls.Login" adapterType="CSSFriendly.LoginAdapter" />-->
Another option is to handle the issue in the adapter; i.e. add the workaround suggested in this issue response http://cssfriendly.codeplex.com/workitem/6311. Download and open the CSSFriendly solution and open the file LoginAdapter.cs. Locate OnInit and add an event listener for the LoggingIn event:
protected override void OnInit(EventArgs e)
Login login = Control as Login;
if (Extender.AdapterEnabled && (login != null))
login.LoggingIn += OnLoggingIn;
login.LoggedIn += OnLoggedIn;
login.LoginError += OnLoginError;
_state = State.LoggingIn;
Then add the workaround code:
protected void OnLoggingIn(object sender, EventArgs e)
Login loginCtrl = (Login)sender;
CheckBox rememberMe = (CheckBox)loginCtrl.FindControl("RememberMe");
if (rememberMe != null)
loginCtrl.RememberMeSet = true;
loginCtrl.RememberMeSet = false;
Build the solution and copy the .dll to your intranet solution. Update the reference to this .dll and build the solution.