username and password

**vbbit** · Jan 15th, 2008, 10:35 AM

Hello I stored my username and password in session and cookie, but once users log out, I initiated them to be "gone." or blank.

My question is, is this secure to do that? also, I have a link that acts like this : http://localhost?username=(whatever the username in the cookie)&password=(whatever in the cookie for pwd)

I would like to get a short version instead of long link like that, plus I would like to hide that username and password information too. Can anyone help or provide insights please?

**vbbit** · Jan 15th, 2008, 11:54 AM

Can someone help? at least I can hide the password? but dont know how

**mendhak** · Jan 15th, 2008, 12:12 PM

What is the purpose of this? Why do you need the username and password in the querystring? You shouldn't actually be storing this information in the querystring or even cookie for that matter. User enters their details, you authenticate and give them a 'token'. Maybe a cookie, maybe a session variable... depends though, why do you need to put it in the URL?

**vbbit** · Jan 15th, 2008, 02:38 PM

because I want to pass those credentials to my another page that is on another server. My another server won't recognize the cookies/sessions from my another server.

**vbbit** · Jan 15th, 2008, 02:41 PM

by all means can I assign those username and password to be "tokens" then still able to pass those credentials to my other server?

**mendhak** · Jan 16th, 2008, 05:33 AM

There are other ways to do this. For example, user logs in to Site1, you generate a unique ID for that session. You can make it a GUID. Store that in the DB1 for Site1 and DB2 for Site2. When you send the user to the other site, pass the GUID and get Site2 to look in DB2 for that GUID and then get the info. Make the GUID 'expire' after a while.

Another way is to do a POST to Site2's login page, so that you're at least passing the information via POST rather than GET and letting that website deal with the info passed.

**vbbit** · Jan 16th, 2008, 12:13 PM

Mendhak, I was thinking that too, but can ASP.net use POST without form? because when I added form runat, I got an error that I cannot have 2 forms at the same time, which I could not find where else I have the form.

**mendhak** · Jan 17th, 2008, 06:03 AM

You cannot post without a form. You can set the form's action to be your target page if you want.

<form id="Form1" runat="server" method="POST" action="http://something.co..."...

Thread: username and password

Thread Tools

Display

username and password

Re: username and password

Re: username and password

Re: username and password

Re: username and password

Re: username and password

Re: username and password

Re: username and password

Posting Permissions