I am using “Remember Me” in my Forms Authentication for my ASP.NET webapp.
If I login with valid credentials and select “Remember Me”, i can log in and everything is fine.
Now if i close the window, open SQL server and change password and then try to open the webapp, it bypasses login process and uses my old cached credentials from “Remember Me” and allows me to log in.
Is that normal behavior?
If so, the only thing I can think of is removing “Remember Me” option or using a very short expiration time.
Any suggestions?
This is normal. The reason is that in order to remember a user, some form of key needs to be stored on the client machine allowing the login process to be bypassed. Assuming that you are using ASP.NET’s integrated membership functionality, you essentially have a unique token stored in the cookie which identifies the user. This has nothing to do with the password, for various good reasons. What this means is that the automatic login is password-independent, so changing it shouldn’t logically affect this feature.
If security is a concern you can indeed look at shortening the time span in which the remembering remains valid. Or as you mentioned you can simply eschew this feature altogether if it poses too much of a risk. Password remembering is a common feature implemented on the vast majority of websites, and provided that you are using ASP.NET’s integrated membership functionality, your security risks are minimised, but in the end you need to examine your particular case and determine whether this feature makes sense for you.