Login snippet "remember me" and "forgotten password"

craigs100 · March 11, 2025, 3:10pm

I have a login page implemented which works, which is based off the current Partials snippet in the back office. However I have 2 questions:-

What do I need to do to get the “Remember me” function working? It doesn’t seem to do anything, no cookie created, etc.
Is there a preferred, Umbraco way of implementing a “Forgotten password” function? If not, does anyone have any advice, resource to look at?

Thanks.

mistyn8 · March 11, 2025, 4:01pm

Remember Me Button Umbraco #help-with-umbraco

Is this any use?

craigs100 · March 11, 2025, 7:12pm

Thanks Mike, it is “some” use, in that it gives a bit of a hint. But it mentions code in the Startup.cs which we don’t have anymore of course. Pity it’s left out of the docs.

I’m almost tempted just to remove it.

huwred · March 11, 2025, 9:56pm

If you look in my mediawizards forum repo on GitHub ther is code that implements these functions

craigs100 · March 12, 2025, 8:44am

Thanks for that. I can see the forgotten password method, but the rememberme is still a mystery. Looking in the UmbracoSignInManager.cs I can see it handles rememberme but it doesn’t cause the asp identity application cookie to get a date, it just sits on “session”.

My login then goes to 2FA using the GoogleAuthentication package. I can also see in UmbracoSignInManager.cs that there’s some provision for rememberme wrt 2FA. It’s all rather dense and getting beyond my understanding. Just wish they’d documented this stuff so people can use it.

Would also like to know how to surface failed login messages too, but that’s probably another post.

Will have a go with the forgotten password though

Thanks

mistyn8 · March 12, 2025, 10:16am

Umbraco-CMS/src/Umbraco.Web.Website/Controllers/UmbLoginController.cs at release-13.7.2 · umbraco/Umbraco-CMS

could you copy the HandleLogin method into your own controller to use against your view, to make sure that model.RememberMe is getting passed as true… as it just seems to bubble this up to asp.net identitiy as you say and if the isPersistent passed as true we should be being remembered with a persistent cookie and not session?

craigs100 · March 12, 2025, 10:30am

Well the point is I don’t have a controller, I’m using Umbraco’s. Which is why it’s annoying they only give you half a story. If I’d done my own controller I guess I’d have used a more complete reference (hopefully).

I might have to re-engineer to use my own controller, but it’s a pain at this stage. I suppose I was hoping someone had come across this before and solved it with the Umbraco controller.

mistyn8 · March 12, 2025, 10:35am

Just blanket copy the umbController… drop it in your solution… change the namespace and update your controller action to use your replacement … then debug… ?? would be my plan of attack.

craigs100 · March 12, 2025, 10:58am

A bold solution, but I like it.

craigs100 · April 22, 2025, 3:54pm

Ok, so I’ve done that and it’s hitting the new controller and completing login ok. However, there are a few anomalies…

The login appears to be done in a subordinate method here:-

        // Sign the user in with username/password, this also gives a chance for developers to
        // custom verify the credentials and auto-link user accounts with a custom IBackOfficePasswordChecker
        SignInResult result = await _signInManager.PasswordSignInAsync(
            model.Username, model.Password, model.RememberMe, true);

The model.RememberMe is True when the check box is checked, but nothing happens.
There are conditionals for “result” which could have messages but no way to get them back to the original login page as it’s overridden by a return currentUmbracoPage()

        else if (result.IsLockedOut)
        {
            ModelState.AddModelError("loginModel", "Member is locked out");
        }
        else if (result.IsNotAllowed)
        {
            ModelState.AddModelError("loginModel", "Member is not allowed");
        }
        else
        {
            ModelState.AddModelError("loginModel", "Invalid username or password");
        }

        return CurrentUmbracoPage();

For the validation messages, I suspect I’ll have to either use a TempData/ViewData construction or maybe even have to extend a model somewhere/somehow.

As for the RememberMe functionality, I might end up disappearing down a rabbit hole.

There are def bits missing here.

I’m just concerned that if I go off-piste, rolling my own stuff, I’ll disappear where the sun don’t shine. Is there a “better” way, etc.

craigs100 · April 22, 2025, 4:20pm

I’ve had a little success with the validation messages though it looks like it’s because the one supplied in the login snippet doesn’t appear to work…

I’ve added a new line under the original asp-validation-summary, which is what I guess is supposed to surface the ModelState errors and now see the ModelState errors.

<div asp-validation-summary="ModelOnly" class="text-danger"></div>

@Html.ValidationMessage("loginModel", "", new { @class = "text-danger" })

Getting the RememberMe funcionality working though, still eludes me.

mistyn8 · April 22, 2025, 4:54pm

there was another thread around the validation messages
No error for incorrect password on protected/Restricted Public Access Page? - Umbraco community forum

but think you’ve done one of the recommended anyway…

craigs100 · April 22, 2025, 10:06pm

I see it alludes to some instructions to create a global cookie in appsettings, though I can’t find anything anywhere about how to set this up in appsettings.

mistyn8 · April 23, 2025, 7:07am

Found this.. ASP.NET Identity Remember Me

Which seems to indicate that remember me is still only a session cookie with a 14day default expiretimespan, with sliding expiry.. so if you restart your app… or IIS session times out the remember me will still then need a new login?

Also you mentioned 2FA.. which also has the isPersistent that can be passed.. is that also correctly implemented???

github.com/dotnet/aspnetcore

src/Identity/Core/src/SignInManager.cs

7c7f56f5a


      
          
          /// <summary>
          /// Validates the sign in code from an authenticator app and creates and signs in the user, as an asynchronous operation.
          /// </summary>
          /// <param name="code">The two factor authentication code to validate.</param>
          /// <param name="isPersistent">Flag indicating whether the sign-in cookie should persist after the browser is closed.</param>
          /// <param name="rememberClient">Flag indicating whether the current browser should be remember, suppressing all further
          /// two factor authentication prompts.</param>
          /// <returns>The task object representing the asynchronous operation containing the <see name="SignInResult"/>
          /// for the sign-in attempt.</returns>
          public virtual async Task<SignInResult> TwoFactorAuthenticatorSignInAsync(string code, bool isPersistent, bool rememberClient)
          {
              var twoFactorInfo = await RetrieveTwoFactorInfoAsync();
              if (twoFactorInfo == null)
              {
                  return SignInResult.Failed;
              }
          
              var user = twoFactorInfo.User;
              var error = await PreSignInCheck(user);
              if (error != null)

mistyn8 · April 23, 2025, 7:11am

github.com/umbraco/Umbraco-CMS

src/Umbraco.Web.Website/Controllers/UmbTwoFactorLoginController.cs

cd71e5666


      
          if (ModelState.IsValid)
          {
              SignInResult result = await _memberSignInManager.TwoFactorSignInAsync(
                  model.Provider,
                  model.Code,
                  model.IsPersistent,
                  model.RememberClient);
              if (result.Succeeded)
              {
                  return RedirectToLocal(returnUrl);
              }
          
              if (result.IsLockedOut)
              {
                  ModelState.AddModelError(nameof(Verify2FACodeModel.Code), "Member is locked out");
              }
              else if (result.IsNotAllowed)
              {
                  ModelState.AddModelError(nameof(Verify2FACodeModel.Code), "Member is not allowed");
              }

This file has been truncated. show original

looks like it should be passing the same model.IsPersistent… but maybe the same AddModelError issue.. where I think the nameof(Verify2FACodeModel.Code) should be string.Empty for the tag manager to work with none property named errors.

mistyn8 · April 23, 2025, 7:13am

ps to stick to taghelpers.. <span class="text-danger" asp-validation-for="loginModel"></span> is the equivalent of @Html.ValidationMessage("loginModel", "", new { @class = "text-danger" })
I believe…

craigs100 · April 23, 2025, 1:17pm

For some unknown reason, that tag helper doesn’t work for me, hence the @Html.ValidationMessage("loginModel", "", new { @class = "text-danger" })

craigs100 · April 23, 2025, 2:01pm

Hi @huwred I see you have forgotten password code in there, but did you get the RememberMe working? Mines followed by 2FA which might be why it’s not working, not sure.

craigs100 · April 23, 2025, 3:25pm

So I’ve added the following to program.cs

builder.Services.ConfigureApplicationCookie(options =>
{
options.Cookie.Name = “UmbracoMemberAuth”;
options.LoginPath = “/login”; // Your member login page
options.ExpireTimeSpan = TimeSpan.FromDays(30); // Cookie lifespan
options.SlidingExpiration = true;
options.Cookie.IsEssential = true;
});

The UmbracoMemberAuth cookie appears after the 2FA occurs, but it’s only a session cookie! I have little hair left now.

How do I get this to have the set TimeSpan initially (which should then slide)?

Reading the MS docs, all this Identity stuff “just works out of the box” !!!

huwred · April 24, 2025, 6:12am

I’m not sure, I will check later