none
What is the best practice of keeping the user logged in after the application is closed and reopened? RRS feed

  • Question

  • I have a winform app, that has a login option: the login data is just email and password. When the user logs in, I want that the program will "remember" the last user that logged in (if he didn't log out) and use this information for the next time he opens the app. I can just put it in a text file, but text files can be changed by anyone to everything else, so the user can access every single account in the DB, even if he is not authorized. if I add password to the text file (and then run checks if the password in the text file matches the password in the DB) then the password will be exposed to everyone that can access the computer (You may say "well, if he can access the computer he can log into the account anyway", but if he dont know the password he can't steal the account - just make changes) Encrypting the password in the text file won't work as well because the attacker has limitless tries to decrypt the password. What is best practice for such problems?

    On top of the advice, it would be great if it would be possible to provide code example of how to do it, because I am beginner, so I probably won't be able to do it on my own (especially if the solution contains complex code)


    • Edited by avivgood Thursday, November 21, 2019 4:08 PM
    Thursday, November 21, 2019 4:00 PM

Answers

All replies

  • You could setup a SQL-Server Express database with users and roles so that user information would be in a table that uses encryption. There are lots of moving parts to this, don't have enough time to get into every aspect including advantages and disadvantages.

    Please remember to mark the replies as answers if they help and unmarked them if they provide no help, this will help others who are looking for solutions to the same or similar problem. Contact via my Twitter (Karen Payne) or Facebook (Karen Payne) via my MSDN profile but will not answer coding question on either.

    NuGet BaseConnectionLibrary for database connections.

    StackOverFlow
    profile for Karen Payne on Stack Exchange

    Thursday, November 21, 2019 4:29 PM
    Moderator
  • An entire SQL Server setup for storing one string? 
    Thursday, November 21, 2019 4:42 PM
  • An entire SQL Server setup for storing one string? 

    I thought you would have multiple users, sounds like 1 then.

    See the following

    https://www.mking.net/blog/password-security-best-practices-with-examples-in-csharp


    Please remember to mark the replies as answers if they help and unmarked them if they provide no help, this will help others who are looking for solutions to the same or similar problem. Contact via my Twitter (Karen Payne) or Facebook (Karen Payne) via my MSDN profile but will not answer coding question on either.

    NuGet BaseConnectionLibrary for database connections.

    StackOverFlow
    profile for Karen Payne on Stack Exchange

    Thursday, November 21, 2019 4:52 PM
    Moderator
  • An entire SQL Server setup for storing one string? 

    I thought you would have multiple users, sounds like 1 then.

    See the following

    https://www.mking.net/blog/password-security-best-practices-with-examples-in-csharp


    Please remember to mark the replies as answers if they help and unmarked them if they provide no help, this will help others who are looking for solutions to the same or similar problem. Contact via my Twitter (Karen Payne) or Facebook (Karen Payne) via my MSDN profile but will not answer coding question on either.

    NuGet BaseConnectionLibrary for database connections.

    StackOverFlow
    profile for Karen Payne on Stack Exchange

    is this for password? how should I store the email?

    • Marked as answer by avivgood Friday, November 22, 2019 4:51 AM
    Thursday, November 21, 2019 4:59 PM
  • You can use the data protection API to store the user and password bound to the Windows account that has logged in to the computer. Another user that logs in will not be able to see and change the data saved by the previous user.

    Look for the class ProtectedData (in System.Security.Cryptography)

    https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.protecteddata?view=netframework-4.8

    • Marked as answer by avivgood Friday, November 22, 2019 4:51 AM
    Thursday, November 21, 2019 5:09 PM
    Moderator
  • An entire SQL Server setup for storing one string? 

    I thought you would have multiple users, sounds like 1 then.

    See the following

    https://www.mking.net/blog/password-security-best-practices-with-examples-in-csharp


    Please remember to mark the replies as answers if they help and unmarked them if they provide no help, this will help others who are looking for solutions to the same or similar problem. Contact via my Twitter (Karen Payne) or Facebook (Karen Payne) via my MSDN profile but will not answer coding question on either.

    NuGet BaseConnectionLibrary for database connections.

    StackOverFlow
    profile for Karen Payne on Stack Exchange

    is this for password? how should I store the email?

    Same as the password, both are simple strings.

    Please remember to mark the replies as answers if they help and unmarked them if they provide no help, this will help others who are looking for solutions to the same or similar problem. Contact via my Twitter (Karen Payne) or Facebook (Karen Payne) via my MSDN profile but will not answer coding question on either.

    NuGet BaseConnectionLibrary for database connections.

    StackOverFlow
    profile for Karen Payne on Stack Exchange

    Thursday, November 21, 2019 5:12 PM
    Moderator
  • It's not  an optimal approach for a Windows desktop solution. The user authenticates by logging into the program using a login screen. If the user closes out of the program and starts the program up again, then the user logs into the program again using the login screen, which the credentials are validated against a User table.

    Anything else being considered is questionable.

    Thursday, November 21, 2019 11:10 PM