Jump to content

Auto Login


freedowsRoO

Recommended Posts

I'd like to point out for the benefit of the original poster that the demo does *not* protect the credentials.  This is a major security concern for a production system, as anything else in the browser can read the credentials out of the cookies on the user's machine. 

For a production grade solution you must therefore not store the credentials themselves, but rather a login token.  Or if you must store the credentials themselves, then they must be encrypted on the server using strong encryption (say AES256).  If you use a token, then it should be validated upon use, to prevent eg. token theft and/or impersonation by a malicious third party.  So for example a token should ideally include some way to validate the IP address making use of the token.  

(In our system I ended up employing AES256 encryption to protect the credentials in the browser, to allow seamless processing and auto-login from a specific URL straight to a specific screen/form/page without demanding the user to login - if the credentials are absent then of course you are asked to login as normal. Edit: To add, we used SynCrypto.pas, part of mORMot framework, for the AES encryption. )

 

  • Like 1
Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
×
×
  • Create New...