473,403 Members | 2,323 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp.net > questions > does my auto login strategy make sense?

Join Bytes to post your question to a community of 473,403 software developers and data experts.

Does My Auto Login Strategy Make Sense?

Hi.

I have an ASP.NET application written in C#. To log in, a user must
provide their email address and password. I already give the user a
"Remember my Email Address" check box. If they check it when logging
in, I store the email address in a cookie and automatically display
the address when they login again.

I now want to give the user a "Remember my Password" checkbox. If they
check this new checkbox, I'm planning on encrypting the password and
storing it in a cookie that won't expire for maybe a year.

If the user decides to have the password saved, the next time they log
in, I will display the login window. In the login window, I use an
asp:TextBox control for the password with the TextMode set to
Password. Because the TextMode is Password, I can't figure out a way
to assign a value to the TextBox's Text field in my C# code. Ideally,
I'd like to just assign the stored password to the field. So, if the
user has the password stored in a cookie, I would change the TextMode
of the TextBox. to SingleLine, assign a string value of "*******" to
the Text field, check the stored password from the cookie against the
database value, and proceed accordingly.

I'm thinking of this approach because if the user no longer wants the
password stored, I can expire the cookie, and the next time the user
logs in, keep the password TextBox's TextMode as Password, and have
the user enter the password.

If the user ever changes the password, I will automatically expire the
cookie, and the user will have to enter the password and decide to
have it saved or not the next time they login.

Does this approach make sense?

All ideas are appreciated.

-Doug

Feb 16 '07 #1
2 2341
Not sure which point you questionned but I would even avoid storing the
password even encrypted.

I would try to see if I could assign some random value to this cookie (such
as a guid) each time the user enter is password and store it. The side
effect is that if he logs on another machine and ask for being remembered a
new value is issued and it's no more possible to be automatically logged on
the previously used computer (whihc an be good or bad depending on your
point of view, IMO it's good as even if you do that on a public computer it
will become invalid once you log on another computer). Also change this
value if the user changes its password.

If the cookie is stolen, the attacker will be able to log. But if the user
log again (having this time to use its password) and ask again to be
remembered, the value will change and the attacker will become unable to log
again (he will able to log forever depending on how you encrypted the
password, of course you could aslo combine the guid value and something else
as you would have done to further secure the password).

Don't know if standard but the idea is to avoid to store something client
side unless you really need it (and strictly speaking you don't need the
password client side, you just need to know the user entered the correct
password previously on this machine).

Finally for the UI, AFAIK some sites don't just display the password box if
the user is remembered. You have a link that enables to show the box again
when needed.

The textbox with the password style is read only.

--
Patrice

"dougloj" <do*****@msn.coma écrit dans le message de news:
11**********************@m58g2000cwm.googlegroups. com...
Hi.

I have an ASP.NET application written in C#. To log in, a user must
provide their email address and password. I already give the user a
"Remember my Email Address" check box. If they check it when logging
in, I store the email address in a cookie and automatically display
the address when they login again.

I now want to give the user a "Remember my Password" checkbox. If they
check this new checkbox, I'm planning on encrypting the password and
storing it in a cookie that won't expire for maybe a year.

If the user decides to have the password saved, the next time they log
in, I will display the login window. In the login window, I use an
asp:TextBox control for the password with the TextMode set to
Password. Because the TextMode is Password, I can't figure out a way
to assign a value to the TextBox's Text field in my C# code. Ideally,
I'd like to just assign the stored password to the field. So, if the
user has the password stored in a cookie, I would change the TextMode
of the TextBox. to SingleLine, assign a string value of "*******" to
the Text field, check the stored password from the cookie against the
database value, and proceed accordingly.

I'm thinking of this approach because if the user no longer wants the
password stored, I can expire the cookie, and the next time the user
logs in, keep the password TextBox's TextMode as Password, and have
the user enter the password.

If the user ever changes the password, I will automatically expire the
cookie, and the user will have to enter the password and decide to
have it saved or not the next time they login.

Does this approach make sense?

All ideas are appreciated.

-Doug

Feb 16 '07 #2
in a single word: No!

only because saving passwords on computers is not the best way to do it! how
about secury issues?
a guy goes to a friend house, aske to send an email, see the site, eneter,
change to it's own password, and then... ohh well, you see the picture!

if still, u want to procede with such thing, do it simple:

USERNAME: <TEXTBOX TEXT>
PASSWORD: <TEXTBOX PWD>

u write the cookie for email, and if you find a cookie named "SAVE_PWD" you
automatically put in the
<TEXTBOX PWDsomething hard to guess like "PWD@COOKIE!" ( it will show
********** to the user)

when performing the LOGIN see if the password is "PWD@COOKIE!"
and then you can search for the encrypted password in the cookies collection
and perform a comparation with the one in the Database...

if everything is ok, login the user, any problem say "please enter your
password for security proposes"

AND PLEASE !!! dont save PWD for A YEAR !!! TWO WEEKS tops !!
a lot happends within a year, and have link "I forgot my password" and send
a link to reset the pwd to that email if you find it in the database.
hope it helps.

--

Bruno Alexandre
Strøby, Danmark

"a Portuguese in Denmark"

"dougloj" <do*****@msn.comwrote in message
news:11**********************@m58g2000cwm.googlegr oups.com...
Hi.

I have an ASP.NET application written in C#. To log in, a user must
provide their email address and password. I already give the user a
"Remember my Email Address" check box. If they check it when logging
in, I store the email address in a cookie and automatically display
the address when they login again.

I now want to give the user a "Remember my Password" checkbox. If they
check this new checkbox, I'm planning on encrypting the password and
storing it in a cookie that won't expire for maybe a year.

If the user decides to have the password saved, the next time they log
in, I will display the login window. In the login window, I use an
asp:TextBox control for the password with the TextMode set to
Password. Because the TextMode is Password, I can't figure out a way
to assign a value to the TextBox's Text field in my C# code. Ideally,
I'd like to just assign the stored password to the field. So, if the
user has the password stored in a cookie, I would change the TextMode
of the TextBox. to SingleLine, assign a string value of "*******" to
the Text field, check the stored password from the cookie against the
database value, and proceed accordingly.

I'm thinking of this approach because if the user no longer wants the
password stored, I can expire the cookie, and the next time the user
logs in, keep the password TextBox's TextMode as Password, and have
the user enter the password.

If the user ever changes the password, I will automatically expire the
cookie, and the user will have to enter the password and decide to
have it saved or not the next time they login.

Does this approach make sense?

All ideas are appreciated.

-Doug
Feb 16 '07 #3
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

8
Bounty for Javascript Auto-Submit Counter
by: Prometheus Research | last post by:
http://newyork.craigslist.org/eng/34043771.html We need a JavaScript component which will auto-submit a form after a set period has elapsed. The component must display a counter that dynamically...
Javascript
3
a2k - does supporting multiple users imply use of Access security?
by: Deano | last post by:
i.e the best way to have multiple validated users on the system who can then access the back-end? Or is it just as easy to write your own user management and login form and base your code on that?...
Microsoft Access / VBA
12
Go to Login Page when session expires
by: ACaunter | last post by:
Hi all, I was wondering how i could write some code which would automatically open the Login Page once the session has expired? -- AdamPC@hotmail.com
ASP.NET
14
IMPORTANT! 2.0 Login Control Has No Cancel Button
by: clintonG | last post by:
This is an appeal for peer support sent to Microsoft as will be noted in closing. The Login control does not include a Cancel button. The only option is to convert the Login control to a...
ASP.NET
0
Auto-Login using cookies
by: thecoolone | last post by:
Im doing a project on Internet Banking. I have created a login page and im using forms authorization (done in web.config) and in the login page i have the following code ...
ASP.NET
2
How does this work?
by: Jim Carr | last post by:
Upon entering the site www.FutureByDesign-Music.com with IE6, my clipboard is erased and then disabled in all other Windows XP applications. Navigating to another site returns clipboard...
Javascript
13
Auto Number mysql
by: S.Dickson | last post by:
I had an access database that i use as an ordering system. I have a form for entering customer details. When i add a new customer on the form the customer number is an auto number that appears when...
MySQL Database
22
Table schema for user login system?
by: klenwell | last post by:
I'm in the process of refactoring the php code base I've amassed over the last few years into an object-oriented framework. I'm about to start in on the authentication/login extension and I've...
PHP
1
Need help, get error "Object does not match target type" in one instanceof an app, when others work
by: =?ISO-8859-1?Q?Lasse_V=E5gs=E6ther_Karlsen?= | last post by:
I get the above error in some of the ASP.NET web applications on a server, and I need some help figuring out how to deal with it. This is a rather long post, and I hope I have enough details that...
ASP.NET
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server
0
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General
0
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new...
Microsoft Access / VBA

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!