Using ASP.NET MVC, Entity framework, jQuery. I want to give users the ability to automatically log in if they have clicked “Remember me”, The approach I’ve come up with is:
- When a user logs in
- Hash PW and store in DB
if when the user logs in & they tick ‘remember me’ - Create a cookie, with a encrypted UserID then some sort of separator and the hashed PW.
- Hash PW and store in DB
Then the next time the user comes back, I can check for their cookie, and if it exists I log them in with AJAX. If the user logs out I of course delete their cookie.
Is this the correct way to accomplish the automatic log in functionality?
I guess my hashing function and User ID encrypting func will be server side, and to create the cookie I’ll call that function via AJAX, then create it.
Is this best practice?
Thankyou
Your approach (having a cookie with a value indicating the user is logged in) is fairly standard.
What is not standard is storing the hashed username and password (in particular the password) – not sure why you would need to and since cookies are transmitted in clear text (for http connections), you are giving anyone between your site and the user the ability to see the password hash and a chance to break it in order to get the password.
Instead of a password hash, create a unique “loggedIn” token (say a GUID) that you store in the cookie – this is what you compare to in order to determine whether a user is logged in.