0

I have an ASP MVC 5 app. The app talks to a WCF service. Once the user has passed in their credentials, a connection to WCF is established using those credentials. This is done so that the WCF services restricts their access and only returns useful data to the MVC app.

Authentication is working correctly, and the WCF credentials are stored for the session. However, if I shut down the app, and start it up again, these credentials are lost. So, my question is, what is the best approach to storing the credentials?

If I persist the credentials to file, I probably should encrypt them right? Is there some recommended way of storing passwords so that I can later decrypt them? If so, wouldn't this be very insecure because anyone on the server can grab user's passwords and decrypt them?

Lastly, just to confirm, the cookie on the client side doesn't save and resend the password does it? Just so I understand this correctly, the cookie is just a unique identifier that confirms that the client has previously been talking to the server. Right?

Christian Findlay
  • 6,770
  • 5
  • 51
  • 103
  • Your question is quite broad, and therefore difficult to answer. We have no idea what kind of authentication mechanism you are using, or how "a connection to WCF is established using those credentials". Broadly speaking, no, don't save credentials to a file, and you will need to understand one-way hashing and encryption to properly secure those. And cookies can save anything, though it is typical for the cookie to reference a session ID that is stored in memory on the server. When you shut down the app, that session is wiped, which likely answers one of your questions. – Mister Epic Dec 01 '15 at 01:38
  • I'm a bit new to MVC, and I'm editing someone else's app. I don't really have answers to all your questions unfortunately. But, I can tell you that there is a Login view which passes in the username and password. It then passes those credentials on to WCF in order to consume data from that WCF Service. Unfortunately, one-way hashing won't suit this scenario because the WCF service will expect the credentials in unencrypted text. – Christian Findlay Dec 01 '15 at 02:05
  • "cookies can save anything". Well, does that mean that it would be possible to save the username/password in the browser, and have those sent to the server the next time the user bypasses the login screen? If so, is that usual practice? Secure practice? What I should probably add is that it's easy enough for me to solve this problem technically, by just writing the usernames and passwords to a plain text file on the server. But, this isn't best practice. I'm looking for best practice on how to do this. – Christian Findlay Dec 01 '15 at 02:05

0 Answers0