如果您要手动创建身份验证cookie，那么您需要确保将其设置为仅限HTTP。这样可以确保不会通过跨站点脚本漏洞窃取cookie。



如果您想要记住用户，那么只需增加身份验证票证的持续时间：

If you're going to manually create the authentication cookie, then you need to make sure it's set to "HTTP only". This ensures that the cookie cannot be stolen via a Cross-Site Scripting vulnerability.

If you want the user to be remembered, then simply increase the duration of the authentication ticket:

DateTime utcNow = DateTime.UtcNow;

DateTime utcExpires = loginUser.RemeberMe 
    ? utcNow.AddDays(5) 
    : utcNow.AddMinutes(20);

var authTicket = new FormsAuthenticationTicket(
    2,
    loginUser.Username,
    utcNow,
    utcExpires,
    loginUser.RemeberMe,
    string.Empty,
    "/"
);

HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(authTicket));
cookie.HttpOnly = true;

if (loginUser.RemeberMe)
{
    cookie.Expires = authTicket.Expiration;
}

Response.Cookies.Add(cookie);

试图记住用户的密码是一个非常糟糕的主意，并将导致您的应用程序中出现严重的安全漏洞。



如何构建（以及如何不构建）安全的记住我功能特洛伊亨特 [ ^ ]