Using "Remember Me" functionality for authentication in .NET 2.0

Question

My client wants me to enable a "Remember Me" checkbox when the user logs in. I am encrypting and storing both the username and password in a cookie.

However, you cannot write to a textbox when it's in password mode.

I've seen this done numerous times, so how are they doing it?

thanks in advance!

Answer 1

How about instead of inserting the text into the login form, you just bypass the form completely and check the contents of the cookie right at the login page? Less work for the user, and it'll make it a little more seamless.

Answer 2

You can set the expiration of the cookie in 2 weeks to keep the user logged in. That's how ASP.NET authentication works with persistent authentication. Remember to update the expiration on every request.

Answer 3

Page_Load( ...)
 {
    ... process cookie ...
    if (cookie is good) Response.Redirect("content.aspx");
 }

Just remember to close and dispose any database activity before redirecting.

Answer 4

They don't want the user to automatically be logged in they just want the usernamd and password field pre-filled in.

I know it's stupid and the same thing as keeping you logged in, but it's their request.

I've mentioned that it's not the best security practice but they don't care.

sites like myspace use it, wher eyou go to myspace.com and your usernamd and password are already filled in.

Answer 5

I don't recall any web page doing something like that as you described but I think it's the web browsers automatically filling passwords. I know this is not a good solution but what you can do might be, setting the text of o normal textbox with stars or something like that in a different login page if there is a cookie to authenticate the user. You don't need to use the password from the textbox to authenticate the user anyway.

Answer 6

If your server-side code has access to their username and password from the cookie, then can't your page just populate the value attributes of the form fields like so:

<input type="text" name="username" value="<%=decryptedUsername%>" />
<input type="password" value="<%=decryptedPassword%>" />

Of course, this is pretty un-secure as you're echo-ing the users password back to them in plain-text (which is a big no-no). But as you say your client isn't that bothered about the security implications. If they are then SSL may help mitigate this risk.

Answer 7

Thatz quite straight forward, try using:

txtPass.Attributes["value"] = "123456"; (most probably on the page load event handler)

where txtPass is the id of the password textbox (in password mode). and the password u want displayed is 123456.

Answer 8

Is it possible for the text box to have the type changed? If so, can you make the text box normal and hidden, then put the password in there, then change the text box type to password type, then unhide it...