asp.net "Remember Me" cookie
Asked Answered
E

3

5

I have implemented remember me option in my asp.net webform by using this,

protected void LBtnSubmit_Click(object sender, EventArgs e)
 {
  if (this.ChkRememberme != null && this.ChkRememberme.Checked == true)
  {
     HttpCookie cookie = new HttpCookie(TxtUserName.Text, TxtPassword.Text);
     cookie.Expires.AddYears(1);
     Response.Cookies.Add(cookie);
  }
}

Am i doing it the right way? Any suggestion.. I am using windows authentication and i am not using asp.net membership..

Enunciation answered 28/7, 2010 at 17:23 Comment(0)
F
12

Rather than directly storing the username and password in the cookie, store the username and a hash of the password and a salt in the cookie, then when you authenticate the cookie, retrieve the password for the given username, re-create the hash with the password and the same salt and compare them.

Creating the hash is as simple as storing the password and salt values together in a string, converting the string to a byte array, computing the hash of the byte array (using MD5 or whatever you prefer) and converting the resulting hash to a string (probably via base64 encoding).

Here's some example code:

// Create a hash of the given password and salt.
public string CreateHash(string password, string salt)
{
    // Get a byte array containing the combined password + salt.
    string authDetails = password + salt;
    byte[] authBytes = System.Text.Encoding.ASCII.GetBytes(authDetails);

    // Use MD5 to compute the hash of the byte array, and return the hash as
    // a Base64-encoded string.
    var md5 = new System.Security.Cryptography.MD5CryptoServiceProvider();
    byte[] hashedBytes = md5.ComputeHash(authBytes);
    string hash = Convert.ToBase64String(hashedBytes);

    return hash;
}

// Check to see if the given password and salt hash to the same value
// as the given hash.
public bool IsMatchingHash(string password, string salt, string hash)
{
    // Recompute the hash from the given auth details, and compare it to
    // the hash provided by the cookie.
    return CreateHash(password, salt) == hash;
}

// Create an authentication cookie that stores the username and a hash of
// the password and salt.
public HttpCookie CreateAuthCookie(string username, string password, string salt)
{
    // Create the cookie and set its value to the username and a hash of the
    // password and salt. Use a pipe character as a delimiter so we can
    // separate these two elements later.
    HttpCookie cookie = new HttpCookie("YourSiteCookieNameHere");
    cookie.Value = username + "|" + CreateHash(password, salt);
    return cookie;
}

// Determine whether the given authentication cookie is valid by
// extracting the username, retrieving the saved password, recomputing its
// hash, and comparing the hashes to see if they match. If they match,
// then this authentication cookie is valid.
public bool IsValidAuthCookie(HttpCookie cookie, string salt)
{
    // Split the cookie value by the pipe delimiter.
    string[] values = cookie.Value.Split('|');
    if (values.Length != 2) return false;

    // Retrieve the username and hash from the split values.
    string username = values[0];
    string hash = values[1];

    // You'll have to provide your GetPasswordForUser function.
    string password = GetPasswordForUser(username);

    // Check the password and salt against the hash.
    return IsMatchingHash(password, salt, hash);
}
Feudist answered 28/7, 2010 at 17:56 Comment(6)
@Erik i ve included all these in a class.. How to use them on my button click?Enunciation
I assume you mean your login button: in that case, just get the username and password as you usually would, call the 'CreateAuthCookie' method passing in the username, password, and salt (which is really just any arbitrary string, as long as you use the same one for every method call) - then do what you like with the cookie that method returns.Feudist
When it comes time to see if the user's already logged in, you just find your cookie by name (the 'YourSiteCookieNameHere'), and call the 'IsValidAuthCookie' method to compare the values in that cookie with the actual authentication data stored in your database. Don't forget to use the same salt.Feudist
I'm not sure what you're asking me to do here... If you've gotten this far, you should be able to do the rest yourself. After all - it is your project, not mine. =)Feudist
Great! =) Glad to hear I was able to help.Feudist
What is salt in here?Tomi
F
4

I would not store the users password in a cookie... Rather store the user id and the ip address in the cookie.

Froze answered 28/7, 2010 at 17:34 Comment(1)
use has to login again if user move from office/home wifiQuarterdeck
H
0

I would not store the ip / user id in the cookie. Session highjacking would then be really easy, I mean I know the username / ip of my collegues, I could add that cookie to my message and then I can work on the session of my collegue.

Hangman answered 17/4, 2013 at 18:57 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.