Created
January 17, 2012 20:34
-
-
Save ardalis/1628720 to your computer and use it in GitHub Desktop.
What's wrong with this?
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| if (ChkRemeberMe.Checked) | |
| { | |
| var hcEmail = new HttpCookie("AcmeEmail", Convert.ToString(TxtUserName.Text.Trim())); | |
| var hcPassword = new HttpCookie("AcmePassword", Convert.ToString(TxtPassword.Text.Trim())); | |
| hcEmail.Expires = DateTime.Now.AddDays(30); | |
| hcPassword.Expires = DateTime.Now.AddDays(30); | |
| Response.Cookies.Add(hcEmail); | |
| Response.Cookies.Add(hcPassword); | |
| } |
I would agree that's the main thing. I would just store the hash. There should also be checks to ensure that hcEmail and hcPassword are not null but that's probably not the point of the code.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The user ID and password are stored in plain text in a cookie, which is a plain text file on the client machine. These are easy to open on the client machine, and are passed with every request, opening the possibility of being intercepted.