I’m developing a mobile oriented website using asp.net. This website will consume some web services requiring username and password to be send for each call. For this, I will need to store the credential that the user will use on the login form, on the client. What are the best practices?
I wonder how I should save the username and password locally keeping an acceptable level of security.
I was thinking about encrypting the credentials in C# and then store the encrypted value in the localStorage of the browser. Would it be “secured” ?
Other question, is it possible to store in the localStorage using C# to trigger JavaScript?
Thanks.
Don’t do it would be the best practice.
Seriously, malware on mobile devices is so high these days, I wouldn’t store anything sensitive on them. Plus it’s very easy to lose a mobile device, and then who’s going to have the login info?
Even on normal websites, there’s usually a “remember me” option and it’s up to the USER to determine if they want to save it if they want, not the web developer.
In the case of a “rememberer me” checkbox, the user’s credentials are usually stored in a cookie. Not the most secure thing in the world. http://www.wisegeek.com/is-it-safe-to-select-the-remember-me-on-this-computer-checkbox-with-online-accounts.htm
Some websites use a Windows login or something similar, where there’s an actual login prompt, and that’s all handled by the browser, again, not by the web developer.
If you were developing a true mobile app, THEN it would be up to you to store the password securely. But not for a mobile website.