1

I have read lots of posts regarding the best and most secure approach for creating a remember me checkbox in windows forms applications in vb.net (VS 2017 CE)

some suggest My.Setting and others suggesting registry.

Reference to this post: https://stackoverflow.com/a/4083212/7735285

As a side note, Windows applications store secrets locally using DPAPI, exposed in .Net as ProtectedData class. The link has fully functional examples of encrypting data with DPAPI in .Net. However, the point remains that storing user credentials in applications, even under DPAPI, is fundamentally broken.

so my question is as the subject says: How to create a secure remember me checkbox ; without the need to store login credential.

is there a way to simulate secure cookie on win forms applications or what is the best practice?

what I have in mind is to use TPM 2 if vb.net can read/write but still can't be sure if this is best practice , plus this add limitations to app ; if that is not available option at user's end.

Please any reference or tip?

Thanks in advance and any input is appreciated.

PS. there is lots of recommendation for asp and IIS but can't find proper and direct solution for vb.net win form apps.

Update: to fully understand the scenario; I am about to develop an app to help and support users with some medical issues, thus for privacy is a challenge.

wpcoder
  • 1,016
  • 11
  • 17
  • 1
    How EXACTLY are the credentials provided by the user being used? Are they used to authenticate against some external resource or are they just to identify the user locally. If it's just locally then all you need is the username but I suspect that it's not just locally. – jmcilhinney Jul 19 '17 at 05:36
  • Thank you @jmcilhinney for your input,my idea is to store credentials in mysql server over ssl connection; but don't want to every time ask user to authenticate. – wpcoder Jul 19 '17 at 05:42
  • How about simply storing a unique and random hashed ID in USB stick, then compare it with mysql cell? would that be ok? just to bypass login form? – wpcoder Jul 19 '17 at 05:51

1 Answers1

0

If the local windows login is adequate proof, you can store cookies/files in the user's %appdata% folder:

Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData)

However, other users with administrator rights can access a user's appdata folder, so you might want to check the current logged-in user ID

My.User.Name

If you aren't using domain credentials (e.g. home computers on different networks) then you might need to check something that identifies the PC. Answers to this SO question (click) could help with that.

(P.S. %appdata% is where browsers store their cookies too!)

SSS
  • 4,807
  • 1
  • 23
  • 44