DNN's login control is stalwart and works well. It has aged though and conversations were started recently (again) to get things modernized. Read the GitHub issue here; RFC: Mobile Friendly Login...
But today you need to know how to stay logged in longer. This is functionality you can expect to survive regardless of the future UI changes because it is tied deep down below to .NET's personalization and membership features. Did you know DNN has simple and logical login persistence options? Via 2 settings, users can choose to stay logged in for a) the default amount of time or b) longer; simply by clicking the checkbox, Remember Login. By default, when it is not setup, the Remember Login checkbox doesn't do anything. Since it is also usually visible by default**, and therefore doesn't appear to work, so most people ignore it, or style it hidden, or turn it off. They usually learn about the default timeout of 60 minutes and move on.
To avoid confusion, you should also insure that the Remember Me login control is enabled, in at least Dnn 9.03.02 and higher, that is in the PersonaBar, Settings/Security, then the More tab; make sure "Enable Remember Me on Login Control" is On.
Obligatory backup warning: this is meant for technically savvy users. You are messing with web.config which is serious business. One typo (syntax error) and your DNN site will be down and the error you see will not be very helpful (unless you are on the server the site is running from, and even then, but I digress). Make a copy of web.config so you can put it back if something goes wrong.
So let's keep this simple.
In the root of your DNN site, Edit web.config and update the following nodes to whatever value you require. The appropriate fields are identified below in bold - all values are in minutes (i.e. 14 days is 14 * 24 hours * 60 minutes = 20160 minutes).
The following sets a) a default 2 hour session expiration and allows for b) a Remember Me option of 2 weeks via your cookie (unless you logout).
Under <system.web>, then in <authentication … />
<forms name=".DOTNETNUKE" protection="All" timeout="120" cookieless="UseCookies" />
<add key="PersistentCookieTimeout" value="20160" />
In English, stay logged in to the site:
- by default (with Remember un-checked) = 2 hours
- with Remember Login checked = 14 days
Though obvious to most, it might be worth pointing out that it is 2 hours of inactivity. The persistence is "sliding." Even with a 2 hour default, you could stay logged in all day as long as you keep working and avoid doing nothing for 2 hours straight.
Why 2 hours? Why 14 days? These are just examples. When we work on a DNN site for a client, during construction we like to have the Remember Login checkbox option turned on and visible, set the default to 2 hours and the persistent duration to 4 days. This way with the option checked, your login will even survive a weekend.
The durations you choose should balance the users and usage against the real or perceived security concerns. But that is a much bigger topic for someone else's deep thinking article. Cheers!
Sort-of-originally published here.
** if you are wondering where this settings is, in DNN 9.x go to Settings, Security, and on the More tab, then the MORE SECURITY SETTINGS (sub)tab and you will see, "Enable Remember Me on Login Control."
Read more DNN Details posts... More about Accuraty...