How to store Encrypted Password in cookies in C#?

Question

I want to store username and password in cookies. I encrypted password by using MD5 Hashing technique. so how can i store that encrypted password in cookies??

http://stackoverflow.com/questions/2100356/is-it-secure-to-store-passwords-in-cookies — Mad Dog Tannen, Jul 27 '16 at 10:51
@KayNelson I m encrypting that password. so is it secure or not?? — Nik, Jul 27 '16 at 11:05
There are too many reasons to specify why you really really shouldn't do this.... — Callum Linington, Jul 27 '16 at 11:06
Depends on why. If you need it for later use, you won't be very happy with md5 because that's a hash function, which is not reversible by definition — derpirscher, Jul 27 '16 at 11:09

score 1 · Answer 1 · edited May 23 '17 at 12:16

Thats not the way. You put some parameters such as timestamp, user agent, current ip, username, etc. But not the Password. Now compute hash for your token and send it as a cookie. Thats how an authentication token is made.

For authenticating the user on Log in, compute the hash on your server and compare it with the one in DB. Don't ever send your hashed password on line. For better criteria you should use salted hash for passwords. See this to get to know about salts.

Moreover MD5 is hashing not an encryption. There is a lot of difference between both of them. Also, use SHA instead of MD5. See this for details.

score 0 · Answer 2 · answered Jul 27 '16 at 11:03

0

You shouldn't store username and password in the cookies because that's sent to the client. Even if it's hashed, specially if you are going to compare the hashed password received in the cookie with the one in the database directly. That breaks the purpose of hashing.

If you want to mantain the session of the user between requests, you should use the session ID. I'm not a C# expert, but with a quick google I've found this:

HttpContext.Current.Session.SessionID

That's what I would store in the cookie.

answered Jul 27 '16 at 11:03

Javier Paz Sedano

146
9

But i am comparing hashed password which is in database password with hashed password. – Nik Jul 27 '16 at 11:08
That's a problem. The purpose of hashing is, in case someone get access to the hashed passwords, they can't authenticate to the server, because your server should run the hash function again and it won't match with the hash stored in database. – Javier Paz Sedano Jul 27 '16 at 11:16
Sorry for double comment, I though pressing enter would insert a blank line instead of sending. Well, I was saying that if you compare data received with the database hashes directly, if someone get access to the hashes, they will be able to authenticate to the server. The objective of hashing is having in database a different data that the one the client have to send. – Javier Paz Sedano Jul 27 '16 at 11:20

score 0 · Answer 3 · answered Jul 27 '16 at 11:49

I would not recommend this to anyone...

Rather save get the passwords from the user. save them in a session to use through out the users connection period and if you want the user to use that same password and login later you will have to have a database that you store the data in.

So to store the information as follow

Session["username"] = txtusername.Text;

then to use it again on a different page or somewhere else

string username = Session["username"].toString();

How to store Encrypted Password in cookies in C#?

3 Answers3