How does RememberMe setting work with WebSecurity in an MVC project?

Question

In a sample/default MVC 4 project, I can see that when the User logs in with Remember Me checkbox on, the persistCookie parameter of the WebSecurity.Login method is set to true.

How exactly does that work? Where exactly is the value of persistCookie is saved? I looked through the tables that are created for the Security feature and do not see anywhere that the user is set to persist login.

What mechanism enables the user to log in? Is it simply the presence of the .ASPXAUTH cookie? Or does it actually compare the cookie value to something that I am not seeing.

Answer 1

How exactly does that work?

By creating a persistent cookie.

Where exactly is the value of persistCookie is saved?

As a file on the client machine so that it survives browser restarts.

What mechanism enables the user to log in?

This mechanism is called persistent cookie. A cookie is considered persistent if when being set the Expires property is being set to some date in the future. In this case the browser will store the cookie on the client computer as a file instead of keeping it in memory.

Here's an example of how creating a persistent cookie looks like in terms of the HTTP protocol:

Set-Cookie: CookieName=CookieValue;Path=/;Expires=Wed, 12-Oct-2016 21:47:09 GMT;

And here's how a setting a session cookie looks like which will not survive browser restarts:

Set-Cookie: CookieName=CookieValue;Path=/;

Now go ahead, download Fiddler and inspect the network traffic to see the difference.

Answer 2

The identity is stored in the cookie and decrypted upon each request.

Persistent cookie means that the cookie will be automatically attached to requests by the browser for some period of time.

No magic and also no need to store open sessions at the server side. As long as a cookie decrypts correctly, it is accepted as the server assumes that no one is able to forge a cookie on its own. This requires that the cookie value is encrypted or at least signed.