REmembering User accounts without using cookies.

  • Thread starter Thread starter Ryan Ternier
  • Start date Start date
R

Ryan Ternier

Hey!

We need a solution for a problem. We're designing a site where users hate...
absolutly hate... with a passion to sign in with a user name / password
system. They want to sign in once, and that's it.

User's are all behind an internal IP so we can't use the old method of
remembering IP's as that would mess up user preferences. We really don't
like using cookies either. Is there another method we could use? Encrypted
XML on the client's machine was brought up, but that still has security
issues.

Is there other options for this scenario?


/RT
The Monkey at the Keyboard
 
Ryan Ternier said:
Hey!

We need a solution for a problem. We're designing a site where users hate...
absolutly hate... with a passion to sign in with a user name / password
system. They want to sign in once, and that's it.

User's are all behind an internal IP so we can't use the old method of
remembering IP's as that would mess up user preferences. We really don't
like using cookies either. Is there another method we could use? Encrypted
XML on the client's machine was brought up, but that still has security
issues.
Click to expand...

What's wrong with cookies?
 
If you don't want cookies, you are pretty much out of options. IE Security
wouldn't let you write any files on the client's machines

I'm not sure what you have against cookies, that is a pretty standard way of
accomplishing this. You can encrypt the password before storing it in the
cookie.
 
It's not that cookies won't cut it, it's that the lead Designer doesn't want
to use them... plus the people that will be using this system have a system
tighter than... to put it in plain terms... if they wanted to download an
image to their computer, they'd have to go through about 5 different levels
of management to get an OK for it.
 
If they use IE, I would think they'd be ok with cookies. They can explicitly
control from which sites to accept cookies, and I believe that list can be
locked by using Group Policy, so that individuals can't change it.
 
Well, they can't have their cake and eat it too.
Meaning, that if they are unwilling to do something as harmless as to allow
cookies to come from your site - they can't then expect to have the username
and password remembered.

In fact, any other solution - like storing encrypted XML files, etc, would
actually be less secure. Imagine if a web site can write any file it wants
to, to your computer - what a huge security hole!

And again, there is nothing stopping you from encrypting whatever it is you
want to store in the cookie, to make sure that it is safe.
 
Back
Top