473,231 Members | 1,811 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,231 software developers and data experts.

Techniques to auto-login using a persistent cookie.

I have an asp.net application in which I sometimes store a persistent
cookie once the user has logged in and this has been working great.
However, I now add some user information like, username, firstname,
lastname, etc. in the session collection and this works fine, but only
the first time the user loggin.
But, when the user returns I just get nil errors, because this data is
lost.
So, I guess, I'm missing something like auto-logging the user in the
system to grab this user info from the database again, but I have no
idea how to do this, or what do I need to do, for example, should I
then store the user password in the cookie as well ?

Nov 19 '05 #1
4 3132
Well you could store anything you like in a cookie, but I don't think
storing a password in the user's cookie would be a good idea.

Instead I would be storing some kind of randomly generated identifier in the
cookie and using this to lookup the required information from a persistent
store (eg. a database, a file etc).

<cr************@hotmail.com> wrote in message
news:11*********************@g49g2000cwa.googlegro ups.com...
I have an asp.net application in which I sometimes store a persistent
cookie once the user has logged in and this has been working great.
However, I now add some user information like, username, firstname,
lastname, etc. in the session collection and this works fine, but only
the first time the user loggin.
But, when the user returns I just get nil errors, because this data is
lost.
So, I guess, I'm missing something like auto-logging the user in the
system to grab this user info from the database again, but I have no
idea how to do this, or what do I need to do, for example, should I
then store the user password in the cookie as well ?

Nov 19 '05 #2
After authenticating the user you can store an encrypted string with
username and password with one of the symmetric algorithm
implementations available in System.Security.Cryptography

As an extra thing you could get a hash of the encrypted string (plus a
salt value) to make sure that no one tampered with your cookie.

I think this is a quite secure way to achieve the functionality you
want

Nov 19 '05 #3
The real question is: should I or should I not store the password ?
Can I trust that if I find the cookie, then the user must be taken as
logged in ?

Nov 19 '05 #4
You can only trust the cookie if you can be sure that no-one could really
have created the cookie (the contents of it) by other means.

Tasos suggests putting your information into the cookie in an encrypted
form. Trusting the cookie then comes down to trusting whether you believe
the encryption key has been compromised or not.

The strength of the encryption determines the possibility that a hacker has
discovered the key and used it to create their own cookies.

Using a hash (eg. MD5, SHA) in conjunction with the encryption comes
increases the security purely by the fact that now two secrets must be
cracked in order to create "counterfeit" cookies (the encryption key and the
salt which was used when generating the hash).

The cookie technique is subject to various spoofing/reply attacks. Without
using HTTPS to deliver the cookie, any snooper seeing the HTTP traffic could
grab the cookie and they now have a valid login to your system, just by
spoofing the cookie contents. HTTPS ensures that the cookie itself is
delivered to the end-user in encrypted form, so it cannot be grabbed by a
snooper, in the same way HTTPS protects an internet banking login which
would otherwise be clear text.

Using a reference identifier (my suggestion) is also subject to spoofing,
but only for as long as the original session is registered. After that, the
cookie becomes useless because the identifier no longer has a corresponding
"real session" on the server. The window of opportunity is therefore much
smaller. The problem with reference identifiers is they must be "cleaned up"
out of your "lookup table" as they expire.

If you want good security, therefore, whichever cookie method you choose,
you need to protect the cookies whilst they are in transit, and that means
HTTPS.

Kevin

<cr************@hotmail.com> wrote in message
news:11**********************@o13g2000cwo.googlegr oups.com...
The real question is: should I or should I not store the password ?
Can I trust that if I find the cookie, then the user must be taken as
logged in ?

Nov 19 '05 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
by: Lew | last post by:
Hi all, I'm trying to create a page that has a user-selectable page auto-refresh option (IE 5.5). Essentially, it's a page that contains a checkbox, when the user checks the checkbox, I'd like...
15
by: christopher diggins | last post by:
I have written an article on how to do Aspect Oriented Programming in vanilla C++ (i.e. without language extensions or other tools such as AspectC++). The article is available at...
24
by: Bob Alston | last post by:
Most of my Access database implementations have been fairly small in terms of data volume and number of concurrent users. So far I haven't had performance issues to worry about. <knock on wood> ...
20
by: Vijay Kumar R. Zanvar | last post by:
Hello, Unlike register, auto keyword can not be used to declare formal parameter(s). Is there any specific reason for this? Kind regards, Vijay Kumar R. Zanvar
19
by: JoeC | last post by:
I have seen many books that teack coding for C++. What are ways to improve my techniques for writing larger programs. I have written many demo programs learning some aspects of code wether it be...
16
by: Panos Laganakos | last post by:
I've been thinking if there's a point in applying some specific OOP techniques in Python as we do in other languages. i.e. we usually define private properties and provide public functions to...
1
by: metsys | last post by:
We have an ASP.NET 2.0 (C#) application that is divided into multiple layers. The multiple layers come from having a web project and 2 different class library projects in the same solution. I'm...
5
by: maya | last post by:
at work they decided to center divs thus: body {text-align:center} #content {width: 612px; text-align:left; margin: 0 auto 0 auto; } this works fine in IE & FF, EXCEPT in FF it doesn't work if...
2
by: Piotr K | last post by:
Hi, I've encountered a strange problem with Firefox which I don't have any idea how to resolve. To the point: I've <divelement with a style "height: auto" and I want to retrieve this value...
21
by: JOYCE | last post by:
Look the subject,that's my problem! I hope someone can help me, thanks
3
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 3 Jan 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). For other local times, please check World Time Buddy In...
0
by: jianzs | last post by:
Introduction Cloud-native applications are conventionally identified as those designed and nurtured on cloud infrastructure. Such applications, rooted in cloud technologies, skillfully benefit from...
0
by: abbasky | last post by:
### Vandf component communication method one: data sharing ​ Vandf components can achieve data exchange through data sharing, state sharing, events, and other methods. Vandf's data exchange method...
2
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 7 Feb 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:30 (7.30PM). In this month's session, the creator of the excellent VBE...
0
by: stefan129 | last post by:
Hey forum members, I'm exploring options for SSL certificates for multiple domains. Has anyone had experience with multi-domain SSL certificates? Any recommendations on reliable providers or specific...
0
by: MeoLessi9 | last post by:
I have VirtualBox installed on Windows 11 and now I would like to install Kali on a virtual machine. However, on the official website, I see two options: "Installer images" and "Virtual machines"....
0
by: DolphinDB | last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation. Take...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: Aftab Ahmad | last post by:
Hello Experts! I have written a code in MS Access for a cmd called "WhatsApp Message" to open WhatsApp using that very code but the problem is that it gives a popup message everytime I clicked on...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.