0
Under Review

Two Cookie Solution - for UsePersistentTicketCookie and TrustDeviceExpireDays

CompuIntegration 5 years ago updated by Sean White 5 years ago 1

PROBLEM:

The web.config UsePersistentTicketCookie is used badly for BOTH the cookie cache related to staying logged on after closing the browser if forgetting to log off manually (bad for security to leave true, so false is best) as well as used for the new Two-Factor Authentication (2FA) (if you turn the setting to false, now you cannot TRUST a device once you close your browser.

SOLUTION:

a.) Leave the web.config TrustDeviceExpireDays as is, but make it write a 2nd unique cookie for this 2FA, and of course honoring '0' as = false as in not trusting.

b.) Also, have it hide the checkbox if it detects the cookie at '0' as it is odd to have it still show.

c.) Finally, the existing UsePersistentTicketCookie keep as is, but ensure it is a unique cookie ONLY for persistence in staying logged in or not after the browser closes

SUMMARY:

These security measures are distinctly different in their context and application and need to give people the ability to customize either and not have the other one break.