views:

18

answers:

1

Hi all,

I want to store data in a cookie and I am not exactly sure how I will go about it.

The data is the UserName, and Password values for the users that are logging into a website, e.g. sometime like this

  UserName = bob, Password=Passw0rd1
  UserName = harry, Password=BLANK
  UserName = george, Password=R0jjd6s

What this means is that bob and george logged into the site and chose to have their password remembered, but harry chose for his password not to be remembered.

So on the login dialog a dropdown will be present with all the usernames in it 'bob', 'harry', 'george'. If they select the username bob the password will automatically be filled in, etc.

So how does that information need to be stored in the cookie? Like it is above, or does it have to be,

  UserName1 = bob, Password1=Passw0rd1
  UserName2 = harry, Password2=BLANK
  UserName3 = george, Password3=R0jjd6s

Are the username and password values actually stored in the same cookie, or is each piece of data separate? Any information would be good.

+1  A: 

As far as whether or not all information should be stored in a single cookie or multiple cookies depends on how many cookies you plan on creating and whether or not you want all the information to expire at the same time. Generally, for efficiency, you will group related data into a single cookie.

However, it is a bad practice to store passwords in a cookie, since this information would then be plain-text and easily readable by an attacker.

The following link provides some guidance on cookies and asp.net.

Ben.Vineyard
OK, so how does it work then if I select the option to 'Stay signed in' in gmail for example? I will have a look at the link too.
peter
Right the link says to 'not do it'
peter
peter
As far as how gmail accomplishes this, I couldn't say, but I am confident that they are not storing plain-text passwords in a cookie. Most likely they are storing an authentication token in a cookie, which is specific to the current session and passing this information along with the request, to identify the user. I would recommend that you have a look at Forms Authentication. It will make your life easier. More info @ http://www.asp.net/learn/security/tutorial-02-cs.aspx.
Ben.Vineyard
The gmail link only states that they use a cookie and _not_ what is actually stored in the cookie. You can still use cookies. I am not advocating against the use of cookies. I am simply recommending that you not store any sensitive information in plain-text form in the cookie.
Ben.Vineyard
Yep sure. Thanks for that. I will have to re-assess the situation.
peter