Offline web app requires locally-stored security credentials

I have a web app that can run offline using HTML5 offline cache. I am storing an sha256 hash of the user's password on the client, which allows me to let the user login locally when offline, but I don't need to store the actual password locally.

I would like to introduce some functionality whereby if the app becomes online then the app will automatically logon to the server without the user having to re-key their password. This means I either need to store the actual password on the client somehow, or I need to pass the hashed password to the server to allow the server to authenticate the user. Both these methods seem to have drawbacks:

I don't beleive I can store the password securely on the client (a javascript variable would do, but with page refreshes then the var goes out of scope. Cookies or session storage or local storage can all be too easily viewed.

I开发者_Python百科 am already storing the sha256 hash of the password locally, but if I open up a method on the server to allow this hash to authenticate the user then I am also opening up the security rather.

Anyone got any bright ideas on this one? Thanks.

(Server is ASP.NET MVC C#)

---

You could store the hashed password in an IndexedDB or WebSQL database, as both of those are quite difficult to read - though the Chrome Developer Tools do allow you to get access to them if you know how - though neither of those are supported in Internet Explorer. But if your app is running offline, that doesn't matter ;)