Using Cookie to set username and password via Javascript

Question

I am using a checkCookie function to see whether a username and password exists in cookie.I know using cookie is not a secure method but I am only using it on trial basis, so please be lenient. On first execution, it will prompt the user for its username and password and will store it in document.cookie by using setCookie(); and on re-executing code, it will only ask the username and will check cookie to retrieve the corresponding password. Below is my checkCookiefunction JS:-

function checkCookie() {
  var username = prompt("Please enter your name:", "");
  var password;
  if (flag == 0) { //flag=0 shows cookie is not set 
    password = prompt("Please enter your password:", "");
    username += "!";
    username += password;
    alert("Username = " + username);
    setCookie("username", username, 365); //save input in cookie
  } else //if cookie is already set with some username+password
  {
    var n = getCookie("username", username); //this retrieves the password from Cookie
    if (n) {
      alert("FLAG= 1 The user's password is " + n);
    } else
      alert("FLAG= 1  User password doesnot exist ")
  }
} //checkCookie function end

Now I have these questions regarding the above code.

1) I am trying to use a flag variable, whose value is initally 0, but whenever a username is stored in Cookie, flag value should become 1. In C, we can do this by declaring a static variable flag, but how to achieve this in JS ?

2) Plus my complete Javascript is allowing me to get password corresponding to a username, how can I use it to auto-fill password field on lets say gmail.com webpage password field?
If i use getElementByID("password").innerHTML = password, will it auto-fill the document's password field ?

3) When I run the code on JSFiddle.net, the username cookie is saved. But when I refresh the JSFiddle.net, cookie values are reset! How can I make my cookie value persistent(fixed) on page reload?

Looking forward to some good suggestions. Thanks for reading

Answer 1

I'll skip the lecture and give you what you asked for:

document.getElementById("password").value = password;

seems to work (tested in jsfiddle)

Answer 2

You should never store usernames and passwords as cookies, even if they're encrypted or hashed, this is bad practice as anyone could just come along and inspect the user's network traffic and steal their identity. Storing usernames and passwords as cookies essentially broadcasts them to anyone who may be looking in.

Instead you should create a login page which stores a session token and the user's IP in your database and sets that as the cookie, then when a user has your session token cookie all you need to do is compare that and the user's IP address with your tokens table in your database to check whether they are logged in or not.

If the same person comes along and inspects the network traffic, all they'll get is the session token. Sure, they could potentially use this to steal the session, but they'd need the same IP address.

This is why websites should also always require a password to be re-entered when letting users modify account information.

See this Wikipedia article on Session Hijacking for further reading.