Click here to Skip to main content
15,888,340 members
Search within:


Let the password not visible when enable 'RememberMe'
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
C#
cookie
this is a 'remember me' login page . the html code is as below:
ASP.NET
<div>
   <asp:TextBox ID="txtUserName" runat="server"></asp:TextBox>
</div>

<div>
   <asp:TextBox ID="txtPwd" TextMode="Password" runat="server"></asp:TextBox>
</div>

<div>
   <asp:CheckBox ID="cbRememberMe" runat="server" Text="Remember Me" />
   <asp:Button ID="btnLogin" runat="server" Text="Login" OnClick="btnLogin_Click" />
  <br />
  <asp:Label ID="lblMsg" runat="server" ForeColor="Red" Text=""></asp:Label>
</div>

as the title says , i enable the 'RememberMe' when i login the system in the login page, and add the login information into the cookies.
C#
HttpCookie cookie = new HttpCookie("USER_COOKIE");
    if (this.cbRememberMe.Checked) {
        // 设置用户昵称、密码
        cookie.Values.Add("Name", txtUserName.Text);
        cookie.Values.Add("Pwd", txtPwd.Text);

        // 令 Cookie 永不过期                
        cookie.Expires = System.DateTime.Now.AddDays(7.0);
        // 保存用户的 Cookie
        HttpContext.Current.Response.Cookies.Add(cookie);
}

and then i bind the login information to the username textbox and the password textbox in the page_load event.

C#
protected void Page_Load(object sender, EventArgs e) {
    // 非回发时执行如下程序
    if (!IsPostBack) {
        // 请求上次存储的Cookies
        HttpCookie cookies = Request.Cookies["USER_COOKIE"];
        // 如果此Cookies存在且它里面有子键则进行读取
        if (cookies != null && cookies.HasKeys) {
            txtUserName.Text = cookies["Name"];
            // 密码框赋值
            txtPwd.Attributes.Add("value", cookies["Pwd"]);
            // 并设置勾选记住密码
            this.cbRememberMe.Checked = true;
        }


    }
}

when I open the login page next time , then the values of the login name and password are both bind to the textbox controls .

Now the issue is :
when I open the login page next time , click the 'view source ' in the page with mouse right key , the password value shows in the textbox :
HTML
<div>
 input name="txtPwd" type="password" id="txtPwd" value="124212" />
</div>

'124212' is the login password with test .

as you know , this is not safe in web system .
i try to init the textbox value with a temporary value in the page_load ,as the code :
C#
// 如果此Cookies存在且它里面有子键则进行读取
    if (cookies != null && cookies.HasKeys) {
        txtUserName.Text = cookies["Name"];
        // 密码框赋值
        txtPwd.Attributes.Add("value", "1234567890");
        // 并设置勾选记住密码
        this.cbRememberMe.Checked = true;
}

then i continue to user the cookie object in other pages.

does anybody know the better method to deal with this ? thanks!
Posted
Add a Solution

2 solutions

How about encrypting the password?

Then you don't have to worry about it being visible. It will not prevent the user from accessing the site, only from knowing your password. If someone sets Remember me on a public (library? internet caffe) computer, well, tough luck.

Encrypting passwords[^]
 
Share this answer
 
Posted
Comments
carono 23-Dec-14 4:08am    
thank , sinisa . you provide a good answer for my question . but i always think that important information (such as password , bankcard and so on ) should not be visible even though they are encrypted data ,cause it also provides a possibility to be attached.
but the method is still a good one , i will consider it . thanks , Sinisa .
carono 23-Dec-14 4:11am    
and thank for your link about encrypting password ~~
You don't need to store the password. You can follow these steps:

  1. When a user logs in and selects 'Remember Me', generate a unique (and complex) secret key for the user.
  2. Store this key in a cookie, and somewhere on your server (in a database for example). Make sure that you can check which user belongs to this key.
  3. When the user visits your website next time, check whether the cookie exists. If it does, look at the content and check which user is associated with the secret key. Then that user can automatically be logged on.

With those steps, you don't need to store a password in the cookie, not even the encrypted password. Make sure that the key is complex and unique enough, to make sure that crackers don't try some random keys to get in.
 
Share this answer
 
Posted
Updated 22-Dec-14 22:10pm
v3
Comments
carono 23-Dec-14 4:28am    
FOX , you mean that i just need to check cookie in every page or the base page ?
and you mean that i don't need to care the login page if the cookie exists. then the system will redirect to the login page if cookie does not exists .

do i undertand you mind right FOX ?
I think so . it is really what i want to do . good idea, FOX . thanks .
Thomas Daniels 23-Dec-14 4:30am    
You don't need to check it on every page; the first time he visits the page when the previous session has been stopped (after the browser closed), then you have to check and if it exists and if the key is correct, then you can log on, and you don't have to check anymore until the session stops next time.
carono 23-Dec-14 5:21am    
ok , thanks ,FOX . i will try ~~
carono 23-Dec-14 6:23am    
Hi Fox , i have a little question .
if the user logs out from the website or closes the browser , i will let the cookie expire and delete the key-user record from database .
but if the user logs in next time , should i do the same work(as you said in the step 1,2,3) again ?
thx .
Thomas Daniels 23-Dec-14 6:25am    
Yes. When the cookie and the key don't exist anymore, you'll have to repeat all steps.
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month

Advertise
Privacy
Cookies
Terms of Use
Last Updated 23 Dec 2014
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web02 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900