Here’s the problem: I’m developing a desktop application to interface with a server, and the client has to log in. Something like with Skype or IM applications. I want to give the client the option of being logged in automatically, ie. no need to type in their credentials every time the applications loads.
How can I achieve this, while protecting the client’s information?
Thank you, I’ve been pondering this problem for days now and I can’t seem to come up with a solution. Any help or guidance would be gold at this stage.
If you are using a secure communication channel to the server (like using SSL, for instance) then you could send the username and a hash of the password (using a cryptographically secure hash function like SHA-512 – there’s no known feasible collision or preimage attacks).
What you save locally is the username and the hash of the password. Given that the communication channel to the server is secure nobody else will see the information sent (no replay attack possible). And using a cryptographically secure hash function means that it’s a one-way function, no “going back” to the original input.
Another way would be to get a token of authentication from the server upon successful login. Then the protocol could accept authentication of user combined with the token within a certain duration of time. Then you don’t have to store the hash of the password locally, only the username and the token. Thus if somebody gets the token it will expire at some point. But bear in mind that the token should not be reissued using another token, only with a correct username/password combination. Additionally, the user should not be able to change/see the password if logged in using a token either. If you want to go even further then you could also restrict the token to only work from certain IP address(es).