<< WebForm_DoPostBackWithOptions vs __doPostback | Home | Javascript select ASP.NET Checkboxlist items >>

ASP.NET cookie auto log in

Ok it is NEVER a good idea to store a cookie on a client's machine with an ID or username and password in the cookie. Can steal the cookie. Come on, cookies are good to eat, chocolate chip cookies are my fav! Anyway, take a look at this, I think joomla does this and I don't take all the credit, but this works great:

1. Obviously a login.aspx page with a checkbox to save my login.

2. Evertime the user is logged in, either themselves or through the cookie, it deletes the old one in the table and writes a new one in the table and updates the client's cookie, or adds the cookie on the client

I call this function when the log in is successful

Public Sub doChocolateChipCookies()

        Using cooks As New dsTableAdapters.cookiesTableAdapter (I use dataset object)
            Dim q, s, t As String
            Dim expires As Date

            q = (a GUID the is stored in the user table) STORED IN THE USER TABLE
            s = (this is the current sessionID from the server I save) STORED IN THE USER TABLE
            t = RandomQIDNumber() (see function below) THIS IS NEW EACH TIME

            Dim dt As New Data.DataTable
            dt = cooks.GetDataByExpires(q)
            If dt.Rows.Count > 0 Then
                expires = dt.Rows(0)("expires")
            Else
                expires = Date.Today.AddDays(90)
            End If
            dt.Dispose()

            Response.Cookies("epauth")("epq") = q 'guid to look up user to log them in with
            Response.Cookies("epauth")("eps") = s 'series to match with token from db and cookie sent
            Response.Cookies("epauth")("ept") = t 'token to match with db and cookie
            Response.Cookies("epauth").Expires = expires

            'if the "s" does NOT match "t", someone could have stollen the cookie we will clear all cookies from the db
            'and require the user to login again...

            'remove any old cookies from db
            cooks.DeleteQuery(q, s) on every login, or cookie login, see later in this post, we delete old cookies out of the table

            'add new one
            cooks.Insert(q, s, t, expires)
        End Using
    End Sub

Public Function RandomQIDNumber() As String
        Return String.Format("{0}{1}", System.Guid.NewGuid, Now.Second)
End Function

Ok, now when the session expires because I store info in session and in a session table in SQL 08 (my sessions are stored via SQL, not cookie based) I call this function and pass in the cookie if a cookie is found

If Not Request.Cookies("epauth") Is Nothing Then
   If Not checkChocolateChipCookie(Request.Cookies("epauth")) Then
                        Session("epexp") = "y"
                        Response.Redirect("login.aspx")
    End If
End If

Public Function checkChocolateChipCookie(ByVal cookie As HttpCookie) As Boolean

        Dim cooks As New dsTableAdapters.cookiesTableAdapter
        Dim q, s, t As String
        Dim dt As New Data.DataTable
        Dim bln As Boolean

        q = cookie.Item("epq")
        s = cookie.Item("eps")
        t = cookie.Item("ept")

        dt = cooks.GetDataByAuth(q, s, t) so I have a cookie table in the db and a ds routine that gets a table by all three values
        If dt.Rows.Count > 0 Then
            'lets setup a currentuser
            Session("CurrentUser") = New objUser(q) I have an objUser class
            doChocolateChipCookies() setup a new cookie delte the old one
            bln = True
        Else
            'possible security issue, remove all
            cooks.DeleteQuery1(q)
            bln = False
        End If
        dt.Dispose()
        cooks.Dispose()
        Return bln

    End Function

Hope this helps!

posted @ Friday, March 06, 2009 10:20 AM

Print

Comments on this entry:

# re: ASP.NET cookie auto log in

Left by jack at 5/20/2009 11:31 PM
Gravatar
Thanks for the tutorial, just one question. When you say
"'if the "s" does NOT match "t", someone could have stollen the cookie we will clear all cookies from the db"
If someone wants to stole your cookie, they just stole all q,s,t and exipres. So now if they copy the cookie accross to another computer before we get a chance to change the cookie, they can logged in just like the real user. Is there anyway we can prevent it?

# re: ASP.NET cookie auto log in

Left by Tim Maxey at 7/20/2009 8:22 AM
Gravatar
Jack, you are right, if someone did copy, they could get in. This methed is similar to Drupal's CMS. Cookie's are never 100%, well, nothing is, but this method I found to be "higher" in security. Now you could check IP address in this routine, my ip address with cable doesn't change much, and if it did, I just will have to log in again. If someone's ip changes all the time, that wouldn't work very well for that user...

# re: ASP.NET cookie auto log in

Left by Directory Submission Service at 7/31/2009 9:54 AM
Gravatar
Its always good to learn tips like you share for blog posting. As I just started posting comments for blog and facing problem of lots of rejections. I think your suggestion would be helpful for me. I will let you know if its work for me too.
Thanks and keep post such a informative blogs.

# re: ASP.NET cookie auto log in

Left by software developer at 10/26/2009 11:30 AM
Gravatar
Humm... interesting,

this is a really helpful article,

Anyway, thanks for the post

Your comment:



 (will not be displayed)


 
 
 
Please add 6 and 3 and type the answer here:
 

Live Comment Preview:

 

Over 13 years of Internet experience and website marketing. Tim Maxey's Tech Blog. Set out to help the lives of others by making their programming easier. No one is the "best" programmer, every good programmer knows that, or should. Always keep learning and if you do not like it, get out of it. Do what makes you happy! My main purpose is to help youth and also anyone for that matter learn they can make a good living in technology!

About
Syndication:

RSS ATOM