Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Store username and passwords

Options
  • 13-06-2003 10:27am
    #1
    brugi
    Closed Accounts Posts: 6


    I have a html page for a login section and I want to store the username and password whenever the user goes to this page so basically when the user types the first letter of their username it will display them both. I was thinking of using cookies to do this. Can this be done using JavaScript and how to implement it?


Comments

  • Options
    #2
    seamus
    Registered Users Posts: 68,317 ✭✭✭✭seamus


    You can use cookies to do this, but saving a password unencrypted inside a cookie is considered bad form, and doesn't protect the user should someone take his cookies (i.e. an internal attacker).

    When browsers do this, it's a feature of the browser, not the web page.

    Some people, e.g. me, don't like having their usernames and passwords stored on any machine.

    If you insist, read up on Javascript cookie handling

    :)


  • Options
    #3
    brugi
    Closed Accounts Posts: 6 brugi


    I agree, I don't like storing passwords either and I told them it was a bad idea but it is on an Intranet so they are not too concerned about it.
    Do you have any other suggestions for storing them?
    Cheers.


  • Options
    #4
    seamus
    Registered Users Posts: 68,317 ✭✭✭✭seamus


    Hmmm.

    I can't think of any other way of getting the browser to pop them up when the user types in a letter.

    You could keep a DB of username/password combinations.

    Use a PHP script to load these into Javacript arrays which basically do the same job, but then when anyone in the intranet types in the first letter of any username, both that username and password appear. Which negates the use of passwords.

    If each machine has a static IP, you could store the IP as another field in the DB, so when a machine connects to the page, the only username/password retrieved is the one tied to that IP.

    Again, not very secure.

    Other than using cookies w/unencrypted passwords or having all browsers in the company set to a default, there's not really any other way to do exactly what they want, as far as I can see.

    What, exactly do they want?

    :)


  • Options
    #5
    brugi
    Closed Accounts Posts: 6 brugi


    well basically what they want is that they don't have to enter usernames and passwords at all and it just logs them in automatically but they said they'd go for the first letter of the username route.


  • Options
    #6
    seamus
    Registered Users Posts: 68,317 ✭✭✭✭seamus


    Fs....then why bother at all with usernames/passwords? :rolleyes: Fecking corporate types.

    I'd say, explain to them the constraints. Tell them you can do the username/password thing so that each person needs only to put in their username/password once, or when their computer is formatted/reinstalled/reimaged etc.

    Then implement it using permanent cookies. It simply can't be done exactly the way they want.

    :)


  • Advertisement
  • Options
    #7
    boo-boo
    Closed Accounts Posts: 94 ✭✭boo-boo


    if you have an NT / Win 2k env. you could use the NT logon
    to log the user onto the site transparently, its not too complex, if you want details give me a shout.


  • Options
    #8
    Capt'n Midnight
    Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 91,238 Mod ✭✭✭✭Capt'n Midnight


    NET USE will give you user names..
    PUTINENV will make them into environment variables
    or dir c:\windows\*.pwl /od to get usernames ...


    But sounds like a classic Crunchie on the outside Soft on the inside security idea..

    If XP home - get power toys 1.0 (not 2 ) to get domain logins..


  • Options
    #9
    davej
    Registered Users Posts: 1,186 ✭✭✭davej


    Originally posted by boo-boo
    if you have an NT / Win 2k env. you could use the NT logon
    to log the user onto the site transparently, its not too complex, if you want details give me a shout.

    Yes, this would appear the best way to go about it.
    Once you have an ip address you can work out the username / domain of any user. vbscript/asp has built in commands to let you get at this information. Also look at the dos command

    nbtstat -A ipaddress

    Using the cookies method assumes that the user will always be connecting from the same machine. The above method assumes that the user has already authenticated himself to the network.

    davej


  • Options
    #10
    Silent Bob
    Registered Users Posts: 491 ✭✭Silent Bob


    The biggest enemy of network security is lazy coporate types who aren't prepared to use security measures because "it's so inconvenient".

    Well here's a though: Having your gibson hacked and all your coporate secrets 're-appropriated' is a hell of a lot more inconvenient.

    Stupid users...

    On another note, you shouldn't store peoples passwords. Use a one-way hashing function to hash each password and store that value. Then whenever they enter a password hash it with the same function and see if it matches (the function should provide pretty large hashes with a minimal chance of collisions...)


  • Options
    #11
    Kernel32
    Registered Users Posts: 640 ✭✭✭Kernel32


    if you have an NT / Win 2k env. you could use the NT logon

    As boo-boo said this is best way for an issue like this. If you are on IIS then you can set it up for NT Auth and use integrated, the users that can be given access are then controlled on the PDC in Active Directory etc. I would look some of this up on MSDN and have a chat with your network admin.


  • Advertisement
Advertisement