6 Replies - 3991 Views - Last Post: 12 June 2009 - 10:17 AM Rate Topic: -----

#1 eclipsed4utoo   User is offline

  • Not Your Ordinary Programmer
  • member icon

Reputation: 1536
  • View blog
  • Posts: 5,972
  • Joined: 21-March 08

SHA1 Hash to Cookie

Posted 10 June 2009 - 06:22 AM

I am running into an issue when trying to add "Remember Me" functionality to a site. I am trying to accomplish this by saving the UserID(auto-incremented value from database) and the user's password, which is hashed using the SHA1CryptoServiceProvider class.

Now my problem comes when I try to write the password to a cookie.

HttpCookie cookie = new HttpCookie("Login");
cookie.Value = string.Format("UserID={0}&Password={1}", user.ID, user.Hashed_Password);
DateTime now = DateTime.Now.AddDays(1);
cookie.Expires = new DateTime(now.Year, now.Month, now.Day, 3, 0, 0);
Response.Cookies.Add(cookie);



It seems to add the value to the cookie correctly(hashed_password is the same as the password in the "Value").

[?a??????%l?3~???



However, when I try to read from the cookie, I get ..

[?a?????%06?%%0bl?3%1b~???



string password = Convert.ToString(Request.Cookies["Login"]["Password"]);
string password1 = Convert.ToString(Server.HtmlDecode(Request.Cookies["Login"]["Password"]));
string password2 = Convert.ToString(Server.HtmlEncode(Request.Cookies["Login"]["Password"]));



All three ways give me the same value.

Any ideas as to why this doesn't work? Or am I going about this wrong? Is there another way to add the "Remember Me" functionality to a site?

This post has been edited by eclipsed4utoo: 11 June 2009 - 05:24 AM


Is This A Good Question/Topic? 0
  • +

Replies To: SHA1 Hash to Cookie

#2 eclipsed4utoo   User is offline

  • Not Your Ordinary Programmer
  • member icon

Reputation: 1536
  • View blog
  • Posts: 5,972
  • Joined: 21-March 08

Re: SHA1 Hash to Cookie

Posted 11 June 2009 - 05:24 AM

nobody?
Was This Post Helpful? 0
  • +
  • -

#3 RudiVisser   User is offline

  • .. does not guess solutions
  • member icon

Reputation: 1010
  • View blog
  • Posts: 3,566
  • Joined: 05-June 09

Re: SHA1 Hash to Cookie

Posted 11 June 2009 - 05:31 AM

The way I do "Remember Me" is to have a seperate table of logins, as storing the password client side isn't really secure. It will basically store the username, IP, password and a unique hash, username and unique hash are stored client side too for comparison.

When they come back to the site, it will check the values, and compare the password from the autologin DB to the current password (because if they've changed their password the autologin should fail...). A simple MD5 hash of random data (as long as it differs from every other autologin) should be suffice. Just make sure that there's only ever 1 autologin row for each user, and it changes each time they "refresh" the Remember Me status (IP Change, etc).

Granted there is a flaw in the way I do it, in that it will only work for 1 user per IP, but most users don't see that as an issue. If it really does become a problem, you could do it on partial hostname (of the ISP, for example mine is XXXXXXXXX.XXXXXX.KCOM.COM, could limit it to *.KCOM.COM).

This post has been edited by MageUK: 11 June 2009 - 05:32 AM

Was This Post Helpful? 0
  • +
  • -

#4 eclipsed4utoo   User is offline

  • Not Your Ordinary Programmer
  • member icon

Reputation: 1536
  • View blog
  • Posts: 5,972
  • Joined: 21-March 08

Re: SHA1 Hash to Cookie

Posted 11 June 2009 - 08:16 AM

thanks. I started looking, and noticed that the FormsAuthentication.SetAuthCookie() method accepted a parameter to persist the login cookie. So I am going to try that.

Now my only problem is getting it to expire at 3AM on the day after it is created.
Was This Post Helpful? 0
  • +
  • -

#5 Jayman   User is offline

  • Student of Life
  • member icon

Reputation: 423
  • View blog
  • Posts: 9,532
  • Joined: 26-December 05

Re: SHA1 Hash to Cookie

Posted 11 June 2009 - 09:09 PM

I don't see a problem with how you are retrieving the cookie.

However, I am curious how you are converting the byte array to the string when you hash the password?

I set up an example and it worked just fine.

using System;
using System.Data;
using System.Configuration;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;
using System.Security.Cryptography;
using System.Text;

public partial class _Default : System.Web.UI.Page 
{
	string user = "Username";
	string pass = "Password";

	protected void Page_Load(object sender, EventArgs e)
	{

	}
  
	protected void btnSave_Click(object sender, EventArgs e)
	{
		SHA1CryptoServiceProvider crypto = new SHA1CryptoServiceProvider();
		byte[] bytePassword = Encoding.Unicode.GetBytes(pass);
		byte[] hashPassword = crypto.ComputeHash(bytePassword);
		string strHashPassword = ""; 

		foreach (byte thisByte in hashPassword)
		{
			strHashPassword += Convert.ToString(thisByte);
		}

		HttpCookie cookie = new HttpCookie("Login");
		cookie.Value = string.Format("UserID={0}&Password={1}", user, strHashPassword);
		DateTime now = DateTime.Now.AddDays(1);
		cookie.Expires = new DateTime(now.Year, now.Month, now.Day, 3, 0, 0);
		Response.Cookies.Add(cookie);

		lblSaveHash.Text = "Hash saved: " + strHashPassword;
	}
	protected void btnGet_Click(object sender, EventArgs e)
	{
		string passwordHash = Request.Cookies["Login"]["Password"];

		lblGetHash.Text = "Hash retreived: " + passwordHash;
	}
}

Attached image(s)

  • Attached Image

Was This Post Helpful? 0
  • +
  • -

#6 eclipsed4utoo   User is offline

  • Not Your Ordinary Programmer
  • member icon

Reputation: 1536
  • View blog
  • Posts: 5,972
  • Joined: 21-March 08

Re: SHA1 Hash to Cookie

Posted 12 June 2009 - 08:46 AM

here is how I hash the password...

public static string HashPassword(string password)
{
    System.Text.ASCIIEncoding encoding = new System.Text.ASCIIEncoding();
    byte[] array = encoding.GetBytes(password);

    SHA1 sha = new SHA1CryptoServiceProvider();
    byte[] retVal = sha.ComputeHash(array);

    return encoding.GetString(retVal);
}


Was This Post Helpful? 0
  • +
  • -

#7 Jayman   User is offline

  • Student of Life
  • member icon

Reputation: 423
  • View blog
  • Posts: 9,532
  • Joined: 26-December 05

Re: SHA1 Hash to Cookie

Posted 12 June 2009 - 10:17 AM

You are going to need to convert it one byte at a time to a string. I ran into the same issue when using the Encoding class to do the conversion to string from a byte array. I tried using the ASCII and UTF-8 format both with the same result, it didn't work as expected.

That should solve your issue.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1