Click here to Skip to main content
14,696,276 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
Hi,
I have written the following code, I do not know what is the best way to get the user name and password retrieved the next time the user logs in.
Below is the action i call when user submits the user id and password:

[ValidateAntiForgeryToken]
        [HttpPost]
        [AllowAnonymous]
        public ActionResult Login(Login loginUser,string ReturnUrl = "")
        {
            ViewBag.loginErrorMsg = string.Empty;
            #region Style 1
            if (ModelState.IsValid)
            {
                if (loginUser.Username != null && IsAuthenticated(loginUser))
                {
                    var authTicket = new FormsAuthenticationTicket(
                                                  1,
                                                  loginUser.Username,  //user id
                                                  DateTime.Now,
                                                  DateTime.Now.AddMinutes(20),  // expiry
                                                  loginUser.RemeberMe,  //true to remember
                                                  "", //roles 
                                                  "/"
                                                );

                    //encrypt the ticket and add it to a cookie
                    HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(authTicket));
                    Response.Cookies.Add(cookie);
                    FormsAuthentication.RedirectFromLoginPage(loginUser.Username, false);
                }
                else
                {
                    ViewBag.loginErrorMsg = Constants.LoginErrMsg;
                }
            }
            #endregion

            ModelState.Remove("Password");
            return View();
        }


Although i tried various ways to retrieve the password they did not help.
The code at the Login view action is simple as of now:

[AllowAnonymous]
      public ActionResult Login()
      {
          return View("Login");
      }



I am not getting the password in the action Login(). Please let me know how can i retrieve the saved password in case the user checked in remember me in his previous login.
[^]
Posted
Updated 6-Oct-15 2:32am
v2
Comments
John C Rayan 6-Oct-15 7:43am
   
Are you sure about this code? IsAuthenticated(loginUser).
Shouldn't be !IsAuthenticated(loginUser)
tewari.nivedita@gmail.com 6-Oct-15 9:32am
   
IsAuthenticated is good. Cookie is created only when user is a valid user only.
therefore if (loginUser.Username != null && IsAuthenticated(loginUser))
IsAuthenticated(loginUser) - true for valid users
Sinisa Hajnal 6-Oct-15 7:54am
   
Is cookie created?
Does it contain the ticket?
Can you read the cookie on next login?
Is the ticket still valid?
tewari.nivedita@gmail.com 6-Oct-15 9:33am
   
Cookie is created and encrypted also. I can't read the cookie at next login. I don't think the ticket is valid till next login.

1 solution

If you're going to manually create the authentication cookie, then you need to make sure it's set to "HTTP only". This ensures that the cookie cannot be stolen via a Cross-Site Scripting vulnerability.

If you want the user to be remembered, then simply increase the duration of the authentication ticket:
DateTime utcNow = DateTime.UtcNow;

DateTime utcExpires = loginUser.RemeberMe 
    ? utcNow.AddDays(5) 
    : utcNow.AddMinutes(20);

var authTicket = new FormsAuthenticationTicket(
    2,
    loginUser.Username,
    utcNow,
    utcExpires,
    loginUser.RemeberMe,
    string.Empty,
    "/"
);

HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(authTicket));
cookie.HttpOnly = true;

if (loginUser.RemeberMe)
{
    cookie.Expires = authTicket.Expiration;
}

Response.Cookies.Add(cookie);

Attempting to "remember" the user's password is an extremely bad idea, and will lead to serious security vulnerabilities in your application.

How to build (and how not to build) a secure "remember me" feature | Troy Hunt[^]
   
Comments
tewari.nivedita@gmail.com 6-Oct-15 9:57am
   
Thanks Richard, i don't want to built it in this way in case it is a threat. Please could you suggest me a better way in which i can give the remember me option in a secure way to my MVC application?
Richard Deeming 6-Oct-15 10:02am
   
Yes - read this[^].

Then read this[^].

What you are asking for is going to be a much bigger security vulnerability than extending the duration of the authentication ticket, however you implement it.
tewari.nivedita@gmail.com 7-Oct-15 4:45am
   
hi Richard, I tried the above but i was not able to keep the cookie session after Logout. Anyways i am not going to use remember me feature so not really an issue.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900