Connecting Tech Pros Worldwide Forums | Help | Site Map
bytes > topic > asp .net > answers

Techniques to auto-login using a persistent cookie.

craigkenisston@hotmail.com
Guest
  
Posts: n/a
#1: Nov 19 '05
I have an asp.net application in which I sometimes store a persistent
cookie once the user has logged in and this has been working great.
However, I now add some user information like, username, firstname,
lastname, etc. in the session collection and this works fine, but only
the first time the user loggin.
But, when the user returns I just get nil errors, because this data is
lost.
So, I guess, I'm missing something like auto-logging the user in the
system to grab this user info from the database again, but I have no
idea how to do this, or what do I need to do, for example, should I
then store the user password in the cookie as well ?

Kevin Frey
Guest
  
Posts: n/a
#2: Nov 19 '05

re: Techniques to auto-login using a persistent cookie.

Well you could store anything you like in a cookie, but I don't think
storing a password in the user's cookie would be a good idea.

Instead I would be storing some kind of randomly generated identifier in the
cookie and using this to lookup the required information from a persistent
store (eg. a database, a file etc).

<craigkenisston@hotmail.com> wrote in message
news:1129872267.241208.31500@g49g2000cwa.googlegro ups.com...[color=blue]
>I have an asp.net application in which I sometimes store a persistent
> cookie once the user has logged in and this has been working great.
> However, I now add some user information like, username, firstname,
> lastname, etc. in the session collection and this works fine, but only
> the first time the user loggin.
> But, when the user returns I just get nil errors, because this data is
> lost.
> So, I guess, I'm missing something like auto-logging the user in the
> system to grab this user info from the database again, but I have no
> idea how to do this, or what do I need to do, for example, should I
> then store the user password in the cookie as well ?
>[/color]
Tasos Vogiatzoglou
Guest
  
Posts: n/a
#3: Nov 19 '05

re: Techniques to auto-login using a persistent cookie.

After authenticating the user you can store an encrypted string with
username and password with one of the symmetric algorithm
implementations available in System.Security.Cryptography

As an extra thing you could get a hash of the encrypted string (plus a
salt value) to make sure that no one tampered with your cookie.

I think this is a quite secure way to achieve the functionality you
want
craigkenisston@hotmail.com
Guest
  
Posts: n/a
#4: Nov 19 '05

re: Techniques to auto-login using a persistent cookie.

The real question is: should I or should I not store the password ?
Can I trust that if I find the cookie, then the user must be taken as
logged in ?
Kevin Frey
Guest
  
Posts: n/a
#5: Nov 19 '05

re: Techniques to auto-login using a persistent cookie.

You can only trust the cookie if you can be sure that no-one could really
have created the cookie (the contents of it) by other means.

Tasos suggests putting your information into the cookie in an encrypted
form. Trusting the cookie then comes down to trusting whether you believe
the encryption key has been compromised or not.

The strength of the encryption determines the possibility that a hacker has
discovered the key and used it to create their own cookies.

Using a hash (eg. MD5, SHA) in conjunction with the encryption comes
increases the security purely by the fact that now two secrets must be
cracked in order to create "counterfeit" cookies (the encryption key and the
salt which was used when generating the hash).

The cookie technique is subject to various spoofing/reply attacks. Without
using HTTPS to deliver the cookie, any snooper seeing the HTTP traffic could
grab the cookie and they now have a valid login to your system, just by
spoofing the cookie contents. HTTPS ensures that the cookie itself is
delivered to the end-user in encrypted form, so it cannot be grabbed by a
snooper, in the same way HTTPS protects an internet banking login which
would otherwise be clear text.

Using a reference identifier (my suggestion) is also subject to spoofing,
but only for as long as the original session is registered. After that, the
cookie becomes useless because the identifier no longer has a corresponding
"real session" on the server. The window of opportunity is therefore much
smaller. The problem with reference identifiers is they must be "cleaned up"
out of your "lookup table" as they expire.

If you want good security, therefore, whichever cookie method you choose,
you need to protect the cookies whilst they are in transit, and that means
HTTPS.

Kevin

<craigkenisston@hotmail.com> wrote in message
news:1129950603.592991.155600@o13g2000cwo.googlegr oups.com...[color=blue]
> The real question is: should I or should I not store the password ?
> Can I trust that if I find the cookie, then the user must be taken as
> logged in ?
>[/color]
Closed Thread

« previous question | next question »

Similar ASP.NET bytes

/bytes/development

/bytes/it

Forums
Visit our community forums for general discussions and latest on Bytes

Our staff and community areas have moved to bytes.com/forums/

/bytes/about

We are a network of experts and professionals in IT and software development that help one another with answers to tough questions and share insights. Get the best answers to your questions from over 226,471 network members.

dev questions:
algorithms | asp | asp.net | c/c++ | coldfusion | c# | flash | html/css | java | javascript |
mobile dev | .net | perl | php | python | ruby | software dev | vb.net | visual basic | xml
it questions:
access | apache | careers | db2 | iis | macosx | mysql | networking | oracle | postgresql | sql server | unix | windows

About Bytes | Copyright 1995-2009 BYTES. All rights Reserved