VB.Net Saving a hashed Password

Hi Experts.  
I am completing an app that requires user authentication with a hashed password saved in the database.
I understand the principle of hashing a password and saving the hash of the password so that when a user logs on again the newly entered password is hashed again and then that is compared to previously saved hashed password.
I also understand that the hashed password cannot be de-hashed and so it is saved securely.
However, when a user wants to click "Remember Me" and expects his password to be saved so that he does not have to keep entering it, every time he logs in, how and where do we save that? Many Thanks for any assistance.
LVL 2
PNRTAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
you set a persistent cookie
bool persist = true;
var cookie = FormsAuthentication.GetAuthCookie(loginUser.ContactId, persist);
cookie.Expires = DateTime.Now.AddMonths(3);
var ticket = FormsAuthentication.Decrypt(cookie.Value);
var userData = "store any string values you want inside the ticket that will be encrypted"
var newTicket = new FormsAuthenticationTicket(ticket.Version, ticket.Name, ticket.IssueDate, ticket.Expiration, ticket.IsPersistent, userData);
cookie.Value = FormsAuthentication.Encrypt(newTicket);
Response.Cookies.Add(cookie);

Open in new window


you read the cookie
string userId = null;
if (this.Context.User.Identity.IsAuthenticated) 
{
    userId = this.Context.User.Identity.Name;
}

Open in new window

http://bit.ly/1OitGRi
0
PNRTAuthor Commented:
Thanks for the reply David.  I forgot to mention that this was a windows forms app.  Is this still method appropriate?
0
David Johnson, CD, MVPOwnerCommented:
Then WHY have a userid/password in the first place if you don't want the user to use it. In a windows application you already know the users identity and within your application you can allow/disallow the user to do things based upon their identity.
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Olaf DoschkeSoftware DeveloperCommented:
In answer to both of you: I work for a customer using pcs for several users and they don't necessarily switch Windows sessions, so there is a user database additional of active directory and application logins.

David Johnson used cookies, which obviously is a solution for web apps, but you can store the same data in user registry, can't you?

The general solutions browsers do to autofill form controls is even worse storing values unencrypted. Each user registry is only readable for a user, (though that does not apply in my case, astwo users might share a windows account), but that's obviously not very secure. Site with remember me feature rather store a cookie and in best cases with some encrypted info.

Anyway, if users always work in their own windows account you can simply check Environment.UserName (loggeed-in user) or (think of processes started with RUN AS) System.Security.Principal.WindowsIdentity.GetCurrent().Name

The current WindowsIdentity has more than just the username in other properties, but also in the Name property you have the Domain/Username.

Bye, Olaf.
0
PNRTAuthor Commented:
Simple really, not all users are on the same domain and act some are on stand alone devices in different areas of the country.  Additionally, some users may well log into the app from shared devices that they have not logged in to.   By far the simplest way would be an individual log in per user.  Which was the original question.
0
PNRTAuthor Commented:
Thanks Olaf, please see my later comments above. Apart from the different domains, it is the different windows sessions that creates the problem.  David's comment as to WHY seems to be obvious in its answer.  The data is confidential and I'm looking for the safest way.   I couldn't imagine that there wasn't a windows app somewhere that hadn't come across this problem somewhere.   In regards to your comments re the registry, yes of course the password could be stored there but would not be secure in all the different scenarios I have mentioned.    From your comments I'm thinking that under the circumstances, maybe the best might be encrypting the password, saving it to the registry and then decrypting it before checking at log in.  Not great though
0
PNRTAuthor Commented:
Actually, just thought, even that wont work if the user logs in from another machine.  Would have to be in the DB!!!!
0
Olaf DoschkeSoftware DeveloperCommented:
I understand why you think so, but this isn't going to work.
Any "remember me" functionality needs to have a way of detecting who's using a website or application, you can't just store RememberMe=true/1/yes at the central database for some user or even anything more complex and then don't prompt for login, you need to reidentify the user. How would you detect which user is using your app without the login? Without even entering the user name? So that type of feature is done via Cookies or some token stored at client side in a session started via a normal login. And it can't work by only storing something into your central database.

The simplest case of the remember me functionality is doing the login process automatically by storing the password in the users profile, maybe even only in the browse the user uses, so using using another browser you are not identified. More sophisticated things work like David Jonsons code or compute a token valid instead of a login. But it's bound to some user profile, browser, device. It never can only be stored at the server side database, how would you know who's coming back, the normal process to recognize a user IS the login and if that should not be done you need something else and that must come from the client side, so you have to store it there.

One way to make this something - eg a token - available to a set of devices would be having some local user data synced between devices, but it would be a bad idea to transfer such a secret, so you rather do that feature per device.

Bye, Olaf.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
.NET Programming

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.