REmembering User accounts without using cookies.

Ryan Ternier · Jun 22, 2004

Hey!

We need a solution for a problem. We're designing a site where users hate...
absolutly hate... with a passion to sign in with a user name / password
system. They want to sign in once, and that's it.

User's are all behind an internal IP so we can't use the old method of
remembering IP's as that would mess up user preferences. We really don't
like using cookies either. Is there another method we could use? Encrypted
XML on the client's machine was brought up, but that still has security
issues.

Is there other options for this scenario?

/RT
The Monkey at the Keyboard

John Saunders · Jun 22, 2004

Ryan Ternier said:
Hey!

We need a solution for a problem. We're designing a site where users hate...
absolutly hate... with a passion to sign in with a user name / password
system. They want to sign in once, and that's it.

User's are all behind an internal IP so we can't use the old method of
remembering IP's as that would mess up user preferences. We really don't
like using cookies either. Is there another method we could use? Encrypted
XML on the client's machine was brought up, but that still has security
issues.

What's wrong with cookies?

Marina · Jun 22, 2004

If you don't want cookies, you are pretty much out of options. IE Security
wouldn't let you write any files on the client's machines

I'm not sure what you have against cookies, that is a pretty standard way of
accomplishing this. You can encrypt the password before storing it in the
cookie.

Ryan Ternier · Jun 22, 2004

It's not that cookies won't cut it, it's that the lead Designer doesn't want
to use them... plus the people that will be using this system have a system
tighter than... to put it in plain terms... if they wanted to download an
image to their computer, they'd have to go through about 5 different levels
of management to get an OK for it.

John Saunders · Jun 23, 2004

If they use IE, I would think they'd be ok with cookies. They can explicitly
control from which sites to accept cookies, and I believe that list can be
locked by using Group Policy, so that individuals can't change it.

Marina · Jun 23, 2004

Well, they can't have their cake and eat it too.
Meaning, that if they are unwilling to do something as harmless as to allow
cookies to come from your site - they can't then expect to have the username
and password remembered.

In fact, any other solution - like storing encrypted XML files, etc, would
actually be less secure. Imagine if a web site can write any file it wants
to, to your computer - what a huge security hole!

And again, there is nothing stopping you from encrypting whatever it is you
want to store in the cookie, to make sure that it is safe.

Understanding and Using Exceptions	1	Jun 15, 2006
Asp.net Important Topics.	0	Jan 18, 2007
SQL Server and .NET Interview questions free download	0	Oct 28, 2006
Role-based security for an ASP/ASP.NET mixed environment	7	Apr 20, 2006
Client/server application and Windows Integrated Auth	9	Jan 31, 2005
Download the JAVA , .NET and SQL Server interview with answers	0	Sep 14, 2006
Download the JAVA , .NET and SQL Server interview PDF	0	Sep 17, 2006
Ruby Weekly News 29th August - 4th September 2005	1	Sep 7, 2005

REmembering User accounts without using cookies.

Ryan Ternier

John Saunders

Marina

Ryan Ternier

John Saunders

Marina

Ask a Question

Similar Threads

Members online

Forum statistics

Latest Threads