Does My Auto Login Strategy Make Sense?

Discussion in 'ASP .Net' started by dougloj, Feb 16, 2007.

  1. dougloj

    dougloj Guest

    Hi.

    I have an ASP.NET application written in C#. To log in, a user must
    provide their email address and password. I already give the user a
    "Remember my Email Address" check box. If they check it when logging
    in, I store the email address in a cookie and automatically display
    the address when they login again.

    I now want to give the user a "Remember my Password" checkbox. If they
    check this new checkbox, I'm planning on encrypting the password and
    storing it in a cookie that won't expire for maybe a year.

    If the user decides to have the password saved, the next time they log
    in, I will display the login window. In the login window, I use an
    asp:TextBox control for the password with the TextMode set to
    Password. Because the TextMode is Password, I can't figure out a way
    to assign a value to the TextBox's Text field in my C# code. Ideally,
    I'd like to just assign the stored password to the field. So, if the
    user has the password stored in a cookie, I would change the TextMode
    of the TextBox. to SingleLine, assign a string value of "*******" to
    the Text field, check the stored password from the cookie against the
    database value, and proceed accordingly.

    I'm thinking of this approach because if the user no longer wants the
    password stored, I can expire the cookie, and the next time the user
    logs in, keep the password TextBox's TextMode as Password, and have
    the user enter the password.

    If the user ever changes the password, I will automatically expire the
    cookie, and the user will have to enter the password and decide to
    have it saved or not the next time they login.

    Does this approach make sense?

    All ideas are appreciated.

    -Doug
     
    dougloj, Feb 16, 2007
    #1
    1. Advertising

  2. in a single word: No!

    only because saving passwords on computers is not the best way to do it! how
    about secury issues?
    a guy goes to a friend house, aske to send an email, see the site, eneter,
    change to it's own password, and then... ohh well, you see the picture!

    if still, u want to procede with such thing, do it simple:

    USERNAME: <TEXTBOX TEXT>
    PASSWORD: <TEXTBOX PWD>

    u write the cookie for email, and if you find a cookie named "SAVE_PWD" you
    automatically put in the
    <TEXTBOX PWD> something hard to guess like "PWD@COOKIE!" ( it will show
    ********** to the user)

    when performing the LOGIN see if the password is "PWD@COOKIE!"
    and then you can search for the encrypted password in the cookies collection
    and perform a comparation with the one in the Database...

    if everything is ok, login the user, any problem say "please enter your
    password for security proposes"

    AND PLEASE !!! dont save PWD for A YEAR !!! TWO WEEKS tops !!
    a lot happends within a year, and have link "I forgot my password" and send
    a link to reset the pwd to that email if you find it in the database.


    hope it helps.

    --

    Bruno Alexandre
    Strøby, Danmark

    "a Portuguese in Denmark"



    "dougloj" <> wrote in message
    news:...
    > Hi.
    >
    > I have an ASP.NET application written in C#. To log in, a user must
    > provide their email address and password. I already give the user a
    > "Remember my Email Address" check box. If they check it when logging
    > in, I store the email address in a cookie and automatically display
    > the address when they login again.
    >
    > I now want to give the user a "Remember my Password" checkbox. If they
    > check this new checkbox, I'm planning on encrypting the password and
    > storing it in a cookie that won't expire for maybe a year.
    >
    > If the user decides to have the password saved, the next time they log
    > in, I will display the login window. In the login window, I use an
    > asp:TextBox control for the password with the TextMode set to
    > Password. Because the TextMode is Password, I can't figure out a way
    > to assign a value to the TextBox's Text field in my C# code. Ideally,
    > I'd like to just assign the stored password to the field. So, if the
    > user has the password stored in a cookie, I would change the TextMode
    > of the TextBox. to SingleLine, assign a string value of "*******" to
    > the Text field, check the stored password from the cookie against the
    > database value, and proceed accordingly.
    >
    > I'm thinking of this approach because if the user no longer wants the
    > password stored, I can expire the cookie, and the next time the user
    > logs in, keep the password TextBox's TextMode as Password, and have
    > the user enter the password.
    >
    > If the user ever changes the password, I will automatically expire the
    > cookie, and the user will have to enter the password and decide to
    > have it saved or not the next time they login.
    >
    > Does this approach make sense?
    >
    > All ideas are appreciated.
    >
    > -Doug
    >
     
    Bruno Alexandre, Feb 16, 2007
    #2
    1. Advertising

  3. dougloj

    Patrice Guest

    Not sure which point you questionned but I would even avoid storing the
    password even encrypted.

    I would try to see if I could assign some random value to this cookie (such
    as a guid) each time the user enter is password and store it. The side
    effect is that if he logs on another machine and ask for being remembered a
    new value is issued and it's no more possible to be automatically logged on
    the previously used computer (whihc an be good or bad depending on your
    point of view, IMO it's good as even if you do that on a public computer it
    will become invalid once you log on another computer). Also change this
    value if the user changes its password.

    If the cookie is stolen, the attacker will be able to log. But if the user
    log again (having this time to use its password) and ask again to be
    remembered, the value will change and the attacker will become unable to log
    again (he will able to log forever depending on how you encrypted the
    password, of course you could aslo combine the guid value and something else
    as you would have done to further secure the password).

    Don't know if standard but the idea is to avoid to store something client
    side unless you really need it (and strictly speaking you don't need the
    password client side, you just need to know the user entered the correct
    password previously on this machine).

    Finally for the UI, AFAIK some sites don't just display the password box if
    the user is remembered. You have a link that enables to show the box again
    when needed.

    The textbox with the password style is read only.

    --
    Patrice

    "dougloj" <> a écrit dans le message de news:
    ...
    > Hi.
    >
    > I have an ASP.NET application written in C#. To log in, a user must
    > provide their email address and password. I already give the user a
    > "Remember my Email Address" check box. If they check it when logging
    > in, I store the email address in a cookie and automatically display
    > the address when they login again.
    >
    > I now want to give the user a "Remember my Password" checkbox. If they
    > check this new checkbox, I'm planning on encrypting the password and
    > storing it in a cookie that won't expire for maybe a year.
    >
    > If the user decides to have the password saved, the next time they log
    > in, I will display the login window. In the login window, I use an
    > asp:TextBox control for the password with the TextMode set to
    > Password. Because the TextMode is Password, I can't figure out a way
    > to assign a value to the TextBox's Text field in my C# code. Ideally,
    > I'd like to just assign the stored password to the field. So, if the
    > user has the password stored in a cookie, I would change the TextMode
    > of the TextBox. to SingleLine, assign a string value of "*******" to
    > the Text field, check the stored password from the cookie against the
    > database value, and proceed accordingly.
    >
    > I'm thinking of this approach because if the user no longer wants the
    > password stored, I can expire the cookie, and the next time the user
    > logs in, keep the password TextBox's TextMode as Password, and have
    > the user enter the password.
    >
    > If the user ever changes the password, I will automatically expire the
    > cookie, and the user will have to enter the password and decide to
    > have it saved or not the next time they login.
    >
    > Does this approach make sense?
    >
    > All ideas are appreciated.
    >
    > -Doug
    >
     
    Patrice, Feb 16, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Phil Sandler

    NULLs from SQL--does this make sense?

    Phil Sandler, Aug 19, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    334
    Phil Sandler
    Aug 19, 2004
  2. Jason
    Replies:
    0
    Views:
    350
    Jason
    Oct 12, 2004
  3. Timo Nentwig
    Replies:
    31
    Views:
    1,207
    Chris Smith
    May 13, 2004
  4. milkyway

    Does this make sense?

    milkyway, Dec 2, 2004, in forum: Java
    Replies:
    0
    Views:
    377
    milkyway
    Dec 2, 2004
  5. linkswanted
    Replies:
    1
    Views:
    924
Loading...

Share This Page