Login through cookies

Different forums are filled with the questions regarding how to manually implement cookies for login or in other words how to implement "Remeber me" option.

Following is the code that will give the idea of how to achieve this task.

Controls used
1. TextBox, ID = TbUserName
2. TextBox, ID = TbPassword
3. CheckBox, ID = CbRememberMe
4. Button, ID = BtLogin
5. LinkButton, ID = lbSignout

------------------If you are using VB.Net-------------------------

Partial Class _Default
    Inherits System.Web.UI.Page

    Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
        If Not IsPostBack Then
            'Check if the browser support cookies
            If Request.Browser.Cookies Then
               'Check if the cookies with name PBLOGIN exist on user's machine
                If Request.Cookies("PBLOGIN") IsNot Nothing Then
                    'Pass the user name and password to the VerifyLogin method
                    Me.VerifyLogin(Request.Cookies("PBLOGIN")("UNAME").ToString(), Request.Cookies("PBLOGIN")("UPASS").ToString())
                End If
            End If
        End If
    End Sub

    Protected Sub BtLogin_Click(ByVal sender As Object, ByVal e As System.EventArgs)
        'check if remember me checkbox is checked on login
        If (Me.CbRememberMe.Checked) Then
            'Check if the browser support cookies
            If (Request.Browser.Cookies) Then
                'Check if the cookie with name PBLOGIN exist on user's machine
                If (Request.Cookies("PBLOGIN") Is Nothing) Then
                    'Create a cookie with expiry of 30 days
                    Response.Cookies("PBLOGIN").Expires = DateTime.Now.AddDays(30)
                    'Write username to the cookie
                    Response.Cookies("PBLOGIN").Item("UNAME") = Me.TbUserName.Text
                    'Write password to the cookie
                    Response.Cookies("PBLOGIN").Item("UPASS") = Me.TbPassword.Text
  'If the cookie already exist then wirte the user name and password on the cookie
                Else
                    Response.Cookies("PBLOGIN").Item("UNAME") = Me.TbUserName.Text
                    Response.Cookies("PBLOGIN").Item("UPASS") = Me.TbPassword.Text
                End If
            End If
        End If

        Me.VerifyLogin(Me.TbUserName.Text, Me.TbPassword.Text)
    End Sub

    Protected Sub VerifyLogin(ByVal UserName As String, ByVal Password As String)
        Try
            'If login credentials are correct
                 'Redirect to the user page
            'else
                 'prompt user for invalid password
            'end if
        Catch ex as System.Exception
            Response.Write(ex.Message)
        End Try
    End Sub

    Protected Sub lbSignout_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles lbSignout.Click
 'Check iIf the cookies with name PBLOGIN exist on user's machine
        If (Request.Cookies("PBLOGIN") IsNot Nothing) Then
            'Expire the cookie
            Response.Cookies("PBLOGIN").Expires = DateTime.Now.AddDays(-30)
        End If

        'Redirect to the login page
    End Sub
End Class

------------------If you are using C#.Net-------------------------

partial class _Default : System.Web.UI.Page
{
   
    protected void Page_Load(object sender, System.EventArgs e)
    {
        if (!IsPostBack)
        {
            //Check if the browser support cookies
            if (Request.Browser.Cookies)
            {
                //Check if the cookies with name PBLOGIN exist on user's machine
                if (Request.Cookies("PBLOGIN") != null)
                {
                    //Pass the user name and password to the VerifyLogin method
                    this.VerifyLogin(Request.Cookies("PBLOGIN")("UNAME").ToString(), Request.Cookies("PBLOGIN")("UPASS").ToString());
                }
            }
        }
    }
   
    protected void BtLogin_Click(object sender, System.EventArgs e)
    {
        //check if remember me checkbox is checked on login
        if ((this.CbRememberMe.Checked))
        {
            //Check if the browser support cookies
            if ((Request.Browser.Cookies))
            {
                //Check if the cookie with name PBLOGIN exist on user's machine
                if ((Request.Cookies("PBLOGIN") == null))
                {
                    //Create a cookie with expiry of 30 days
                    Response.Cookies("PBLOGIN").Expires = DateTime.Now.AddDays(30);
                    //Write username to the cookie
                    Response.Cookies("PBLOGIN").Item("UNAME") = this.TbUserName.Text;
                    //Write password to the cookie
                    Response.Cookies("PBLOGIN").Item("UPASS") = this.TbPassword.Text;
                }
                //If the cookie already exist then wirte the user name and password on the cookie
                else
                {
                    Response.Cookies("PBLOGIN").Item("UNAME") = this.TbUserName.Text;
                    Response.Cookies("PBLOGIN").Item("UPASS") = this.TbPassword.Text;
                }
            }
        }
       
        this.VerifyLogin(this.TbUserName.Text, this.TbPassword.Text);
    }
   
    protected void VerifyLogin(string UserName, string Password)
    {
        try
        {
             //If login credentials are correct
                  //Redirect to the user page
             //else
                  //prompt user for invalid password
             //end if
        }
        catch (System.Exception ex)
        {
            Response.Write(ex.Message);
        }
    }
   
    protected void lbSignout_Click(object sender, System.EventArgs e)
    {
        //Check iIf the cookies with name PBLOGIN exist on user's machine
        if ((Request.Cookies("PBLOGIN") != null))
        {
            //Expire the cookie
            Response.Cookies("PBLOGIN").Expires = DateTime.Now.AddDays(-30);
        }
       
        //Redirect to the login page
    }

}

4 Comments

  • Storing username/password in a cookie is a BIG security risk. In this case, at least you required the password too, most places just store the username and can easily be hacked by changing it and revisting the site.

    Either, keep a listing of valid GUIDs/hashs that represent successful login "tokens" for the user and store that in the cookie, or encrypt the username/password with a X509 certificate public key.

    Also don't store it in the cookie as something like UNAME, UPASS, UID, PWD, PASS, etc... use something that isn't obvious like UX, TX, GOLF, SHOE_SIZE, etc...

  • If you think about storing a username in a cookie, then don't forget to also put a single way hash to secure the username so it cannot be tampered with.

  • I do understand the importance of encryption, certificates and other security measures but above is just a walk through of how one can implement cookies and contains a very basic idea and understandable naming conventions without complication so that it will be easier for beginners to understand. Any way thanks for your comments atleast those who will read this blog will also consider security measures.

  • I'm really impressed with your writing skills as well as with the layout on your weblog. Is this a paid theme or did you customize it yourself? Anyway keep up the nice quality writing, it's rare to see a great blog like this one today..

Comments have been disabled for this content.