Tim Maxey .NET Technology Blog & Resources

<< WebForm_DoPostBackWithOptions vs __doPostback | Home | Javascript select ASP.NET Checkboxlist items >>

ASP.NET cookie auto log in

Ok it is NEVER a good idea to store a cookie on a client's machine with an ID or username and password in the cookie. Can steal the cookie. Come on, cookies are good to eat, chocolate chip cookies are my fav! Anyway, take a look at this, I think joomla does this and I don't take all the credit, but this works great:

1. Obviously a login.aspx page with a checkbox to save my login.

2. Evertime the user is logged in, either themselves or through the cookie, it deletes the old one in the table and writes a new one in the table and updates the client's cookie, or adds the cookie on the client

I call this function when the log in is successful

Public Sub doChocolateChipCookies()

        Using cooks As New dsTableAdapters.cookiesTableAdapter (I use dataset object)
            Dim q, s, t As String
            Dim expires As Date

            q = (a GUID the is stored in the user table) STORED IN THE USER TABLE
            s = (this is the current sessionID from the server I save) STORED IN THE USER TABLE
            t = RandomQIDNumber() (see function below) THIS IS NEW EACH TIME

            Dim dt As New Data.DataTable
            dt = cooks.GetDataByExpires(q)
            If dt.Rows.Count > 0 Then
                expires = dt.Rows(0)("expires")
            Else
                expires = Date.Today.AddDays(90)
            End If
            dt.Dispose()

            Response.Cookies("epauth")("epq") = q 'guid to look up user to log them in with
            Response.Cookies("epauth")("eps") = s 'series to match with token from db and cookie sent
            Response.Cookies("epauth")("ept") = t 'token to match with db and cookie
            Response.Cookies("epauth").Expires = expires

            'if the "s" does NOT match "t", someone could have stollen the cookie we will clear all cookies from the db
            'and require the user to login again...

            'remove any old cookies from db
            cooks.DeleteQuery(q, s) on every login, or cookie login, see later in this post, we delete old cookies out of the table

            'add new one
            cooks.Insert(q, s, t, expires)
        End Using
    End Sub

Public Function RandomQIDNumber() As String
        Return String.Format("{0}{1}", System.Guid.NewGuid, Now.Second)
End Function

Ok, now when the session expires because I store info in session and in a session table in SQL 08 (my sessions are stored via SQL, not cookie based) I call this function and pass in the cookie if a cookie is found

If Not Request.Cookies("epauth") Is Nothing Then
   If Not checkChocolateChipCookie(Request.Cookies("epauth")) Then
                        Session("epexp") = "y"
                        Response.Redirect("login.aspx")
    End If
End If

Public Function checkChocolateChipCookie(ByVal cookie As HttpCookie) As Boolean

        Dim cooks As New dsTableAdapters.cookiesTableAdapter
        Dim q, s, t As String
        Dim dt As New Data.DataTable
        Dim bln As Boolean

        q = cookie.Item("epq")
        s = cookie.Item("eps")
        t = cookie.Item("ept")

        dt = cooks.GetDataByAuth(q, s, t) so I have a cookie table in the db and a ds routine that gets a table by all three values
        If dt.Rows.Count > 0 Then
            'lets setup a currentuser
            Session("CurrentUser") = New objUser(q) I have an objUser class
            doChocolateChipCookies() setup a new cookie delte the old one
            bln = True
        Else
            'possible security issue, remove all
            cooks.DeleteQuery1(q)
            bln = False
        End If
        dt.Dispose()
        cooks.Dispose()
        Return bln

    End Function

Hope this helps!

Print posted @ Friday, March 06, 2009 10:20 AM

Feedback

# re: ASP.NET cookie auto log in

Gravatar Thanks for the tutorial, just one question. When you say
"'if the "s" does NOT match "t", someone could have stollen the cookie we will clear all cookies from the db"
If someone wants to stole your cookie, they just stole all q,s,t and exipres. So now if they copy the cookie accross to another computer before we get a chance to change the cookie, they can logged in just like the real user. Is there anyway we can prevent it?
5/20/2009 11:31 PM | jack

# re: ASP.NET cookie auto log in

Gravatar Jack, you are right, if someone did copy, they could get in. This methed is similar to Drupal's CMS. Cookie's are never 100%, well, nothing is, but this method I found to be "higher" in security. Now you could check IP address in this routine, my ip address with cable doesn't change much, and if it did, I just will have to log in again. If someone's ip changes all the time, that wouldn't work very well for that user... 7/20/2009 8:22 AM | Tim Maxey

# re: ASP.NET cookie auto log in

Gravatar Its always good to learn tips like you share for blog posting. As I just started posting comments for blog and facing problem of lots of rejections. I think your suggestion would be helpful for me. I will let you know if its work for me too.
Thanks and keep post such a informative blogs.
7/31/2009 9:54 AM | Directory Submission Service

# re: ASP.NET cookie auto log in

Gravatar Humm... interesting,

this is a really helpful article,

Anyway, thanks for the post 10/26/2009 11:30 AM | software developer
Post a comment





 

Please add 7 and 8 and type the answer here:

 

Web Services

Product Links

Partner Links