tags:

views:

18

answers:

1
Q: 

How to deal with arrays of data in cookies

Hi all,

I want to store data in a cookie and I am not exactly sure how I will go about it.

The data is the UserName, and Password values for the users that are logging into a website, e.g. sometime like this

  UserName = bob, Password=Passw0rd1
  UserName = harry, Password=BLANK
  UserName = george, Password=R0jjd6s

What this means is that bob and george logged into the site and chose to have their password remembered, but harry chose for his password not to be remembered.

So on the login dialog a dropdown will be present with all the usernames in it 'bob', 'harry', 'george'. If they select the username bob the password will automatically be filled in, etc.

So how does that information need to be stored in the cookie? Like it is above, or does it have to be,

  UserName1 = bob, Password1=Passw0rd1
  UserName2 = harry, Password2=BLANK
  UserName3 = george, Password3=R0jjd6s

Are the username and password values actually stored in the same cookie, or is each piece of data separate? Any information would be good.

+1  A: 

As far as whether or not all information should be stored in a single cookie or multiple cookies depends on how many cookies you plan on creating and whether or not you want all the information to expire at the same time. Generally, for efficiency, you will group related data into a single cookie.

However, it is a bad practice to store passwords in a cookie, since this information would then be plain-text and easily readable by an attacker.

The following link provides some guidance on cookies and asp.net.

Ben.Vineyard  2010-05-03 22:32:20
OK, so how does it work then if I select the option to 'Stay signed in' in gmail for example? I will have a look at the link too.
peter  2010-05-03 22:37:48
Right the link says to 'not do it'
peter  2010-05-03 22:38:31
peter  2010-05-03 22:42:53
As far as how gmail accomplishes this, I couldn't say, but I am confident that they are not storing plain-text passwords in a cookie. Most likely they are storing an authentication token in a cookie, which is specific to the current session and passing this information along with the request, to identify the user. I would recommend that you have a look at Forms Authentication. It will make your life easier. More info @ http://www.asp.net/learn/security/tutorial-02-cs.aspx.
Ben.Vineyard  2010-05-03 22:46:07
The gmail link only states that they use a cookie and _not_ what is actually stored in the cookie. You can still use cookies. I am not advocating against the use of cookies. I am simply recommending that you not store any sensitive information in plain-text form in the cookie.
Ben.Vineyard  2010-05-03 22:49:32
Yep sure. Thanks for that. I will have to re-assess the situation.
peter  2010-05-03 22:53:21

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?