Does My Auto Login Strategy Make Sense?

Re: Does My Auto Login Strategy Make Sense?

Not sure which point you questionned but I would even avoid storing the
password even encrypted.

I would try to see if I could assign some random value to this cookie (such
as a guid) each time the user enter is password and store it. The side
effect is that if he logs on another machine and ask for being remembered a
new value is issued and it's no more possible to be automatically logged on
the previously used computer (whihc an be good or bad depending on your
point of view, IMO it's good as even if you do that on a public computer it
will become invalid once you log on another computer). Also change this
value if the user changes its password.

If the cookie is stolen, the attacker will be able to log. But if the user
log again (having this time to use its password) and ask again to be
remembered, the value will change and the attacker will become unable to log
again (he will able to log forever depending on how you encrypted the
password, of course you could aslo combine the guid value and something else
as you would have done to further secure the password).

Don't know if standard but the idea is to avoid to store something client
side unless you really need it (and strictly speaking you don't need the
password client side, you just need to know the user entered the correct
password previously on this machine).

Finally for the UI, AFAIK some sites don't just display the password box if
the user is remembered. You have a link that enables to show the box again
when needed.

The textbox with the password style is read only.

--
Patrice

"dougloj" <dougloj@msn.co ma écrit dans le message de news:
1171607979.5898 50.209280@m58g2 00...legr oups.com...

Re: Does My Auto Login Strategy Make Sense?

in a single word: No!

only because saving passwords on computers is not the best way to do it! how
about secury issues?
a guy goes to a friend house, aske to send an email, see the site, eneter,
change to it's own password, and then... ohh well, you see the picture!

if still, u want to procede with such thing, do it simple:

USERNAME: <TEXTBOX TEXT>
PASSWORD: <TEXTBOX PWD>

u write the cookie for email, and if you find a cookie named "SAVE_PWD" you
automatically put in the
<TEXTBOX PWDsomething hard to guess like "PWD@COOKIE !" ( it will show
********** to the user)

when performing the LOGIN see if the password is "PWD@COOKIE !"
and then you can search for the encrypted password in the cookies collection
and perform a comparation with the one in the Database...

if everything is ok, login the user, any problem say "please enter your
password for security proposes"

AND PLEASE !!! dont save PWD for A YEAR !!! TWO WEEKS tops !!
a lot happends within a year, and have link "I forgot my password" and send
a link to reset the pwd to that email if you find it in the database.


hope it helps.

--

Bruno Alexandre
Strøby, Danmark

"a Portuguese in Denmark"



"dougloj" <dougloj@msn.co mwrote in message
news:1171607979 .589850.209280@ m58g2000cwm.goo glegroups.com.. .