0

I am using ASP.NET and C#.While login, if the user checked remember password then i'm storing it in a cookie.So if they login for nexttime it will be displayed in password field.

This is the code i'm using for creating cookie.

                HttpCookie cookie = new HttpCookie("user");
                cookie.Values.Add("username", t_uname.Text);
                cookie.Values.Add("password", t_pass.Text);
                Response.Cookies.Add(cookie);

So while login for nexttime i am using this.

                t_uname.Text = HttpContext.Current.Request.Cookies["user"]["username"].ToString();
                string pass= HttpContext.Current.Request.Cookies["user"]["password"].ToString();
                t_pass.Attributes.Add("value", pass);

So instead of this i need to display the password in password field after typing the username.

Thanks..

Giri
  • 931
  • 11
  • 31
  • 51
  • 1
    Wouldn't `t_pass.Text = HttpContext.Current.Request.Cookies["user"]["password"].ToString();` do the trick? Why are you storing it as an attribute? – Tim Sep 22 '12 at 05:23
  • i am using TextMode=password.. So that wont work. – Giri Sep 22 '12 at 06:24
  • Are you wanting to display the password in plain text? Then change the `TextMode`....though I'm not sure what you're trying to accomplish in the long run as you seem to be doing an end-run around basic security.... – Tim Sep 22 '12 at 06:58
  • i want like this..suppose if 3 users are signing in consecutively.All of them are checked remember password.So when the particular user logs in and enter the username it need to display the password in password field for login.. – Giri Sep 22 '12 at 07:07
  • That's a really bad design from a security perspective, IMO. You're giving out user's passwords. The remember me functionality (which I'm not personally a fan of to start with) is designed to keep a user logged in (i.e., they can come back to the page later and not have to sign back in) or perhaps prepopulate their username, not to prepopulate their password and certainly not to do it in plain text. – Tim Sep 22 '12 at 07:10
  • Then how to do if more users are using the same system? – Giri Sep 22 '12 at 07:14
  • Store the username in a cookie, and either force them to reenter their password or have them flagged as still logged in in the database. – Tim Sep 22 '12 at 07:19
  • yeah.thanks.i understood.but i have requirement that need to display password in password field while typing username? Is that possible? – Giri Sep 22 '12 at 07:26
  • You are trying to re-invent what the browser already does when asking you 'do you want to remember this password'. **Remember me** means that next time I go on your site, it will automatically log me in, not that it will send me to the login screen with my password written for me. This is a **serious** security breach - don't do it. – Artless Sep 22 '12 at 13:16

2 Answers2

3

Do NOT store passwords in cookies! Cookies are plain text files, which means your users' cookies will get stolen and accounts will be hijacked.

Why are you not using the built in Authentication services provided in ASP.NET? It's pretty easy to do.

Artless
  • 4,522
  • 1
  • 25
  • 40
  • If you absolutely must store the password in a cookie, at the very least hash it before doing so, and consider setting the https only property on the cookie. – Tim Sep 22 '12 at 07:12
1

Your requirement is not completely clear. However if you want Remember me implementation. Have a look at the following link.

asp.net "Remember Me" cookie

What is the best way to implement "remember me" for a website?

Community
  • 1
  • 1
Pushpendra
  • 814
  • 1
  • 6
  • 17