0

I have a login page with "remember me" option.

If the user wished to save his credentials in system using "remember me" option the details are saved using cookies.

The next time the user visits the site the credentials are taken from cookies as expected.

I noticed that as these values are not encrypted while saving in cookie. So I can use "Inspect element" of chrome for finding the value of password textbox(Taken from cookie)

In any way i can prevent this. Either

  1. Encrypt the values while saving to cookie
  2. Even if user user "Inspect Element" he will not be able to see the value of textbox(Almost Impossible I guess)
naveen
  • 53,448
  • 46
  • 161
  • 251
Robert_Junior
  • 1,122
  • 1
  • 18
  • 40
  • 2
    Don't put the password in the cookie! DON'T DO IT! Even with encryption this is woefully, horribly insecure. There are other, better ways of implementing "remember me." If you are putting the password in a cookie (even encrypted) then your website's users are massively vulnerable. – Dan Puzey Dec 06 '13 at 11:38
  • Agree with @DanPuzey - you should not go down this approach at all. Implementing another system, such as FormsAuthentication as my answer suggests would be far more secure. – ctrlplusb Dec 06 '13 at 11:39

3 Answers3

0

Are you using the credentials to log in the user for each request? I think you should reconsider your strategy, to do an authorization once, and then use something like FormsAuthentication which would create an encrypted session cookie which would contain the user identity.

Then you do not need to keep logging in the user, and you wouldn't need to worry about encrypting a standard cookie either (which is a very dangerous approach anyway).

For e.g. your login handling code could do:

string username = // get username;
string password = // get password;
bool rememberMe = // get remember me setting.

if (YourAuthenticationSystem.Authenticate(username, password))
{
   FormsAuthentication.SetAuthCookie(username, rememberMe);
}

As you can see, this method has support for a 'remember me' option.

You will need the web.config code:

<authentication mode="Forms">
  <forms name="TheNameOfYourAuthCookie" loginUrl="http://yourdomain.com/Login" path="/" domain="" timeout="40320" slidingExpiration="true" />
</authentication>
<authorization>
  <deny users="?" />
</authorization>

Read more about FormsAuthentication here: http://msdn.microsoft.com/en-us/library/xdt4thhy(v=vs.100).aspx

ctrlplusb
  • 12,847
  • 6
  • 55
  • 57
0

To encrypt the message / text like passwords you can use some DSA algorithm, which will work based on Key and some Prime numbers,

other way to encrypt by using the Hash Tables / some inbuilt stored Procedures like Membership in C# uses this encryption which is not possible to hack so easily...

  • I recommend you not to use cookies to store text like passwords using encryption. use session variables to start and stop sessions, when sessions are stared and authenticated the browser itself asks to save your password.. etc.
  • The best way any developer usually uses to secure the authentication using the tool in c# called as Membership. ( which provides all features like Log-in, Log-Out, User , Remember_Me etc built in features... by Microsoft c#. Please make use of it.

For More info: Membership - Log-in Cookies and Sessions Microsoft site

Rahul Uttarkar
  • 3,367
  • 3
  • 35
  • 40
0

Try setting the value as encrypted text

 Response.Cookies['cookieName'].Value = MyEncryptMethod(model.rememberMe);
Murali Murugesan
  • 22,423
  • 17
  • 73
  • 120