Classic ASP: Storing Session Variables in Cookies

Hello All,

I'm trying to create a secure 'remember me' login function on a classic ASP site.

I know that session variables are stored on the server - are they encrypted, and are the persistent, or unique with each login?

i.e. If I create a session with a value of 1, is this stored as encrypted on the server or is it stored as 1? if encrypted is it stored as a uniquw value each time?

I ran a test as shown below;

<%
Session.Contents.RemoveAll()
Session("UID")=1
Response.Cookies("Test")= Session("UID")
%>

Open in new window


In chrome I could see that Test = 1

What would be the best way to do this? I don't want to store usernames and passwords in cookies...

The user table has

Unique ID
Username
Shah1 encrypted password
SALT

Thanks
garethtnashAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
The cookie is normally a hash of something in users listing and is saved in a separate field in the database so you can compare it to the cookie when a user returns to your site.
0
garethtnashAuthor Commented:
Thanks Dave, can you provide an example?
0
garethtnashAuthor Commented:
Hi

Assuming I want to Hash

ID=1&UID=EE&SALT=12345 (variables could differ)

How do I do this? What type and size column would need to be added the hashed output to the table?

At the other end when receiving the hashed value back, how can I decrypt the hashed value,. so that I can just extract ID=1 as an example

Thanks
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Dave BaldwinFixer of ProblemsCommented:
I haven't done this in ASP.  MD5 creates a 32 byte hash in hex and I don't remember what SHA creates.  In any case, you don't decrypt it, you use it to find the database record it is in and then use the data from the record.
0
garethtnashAuthor Commented:
OK thanks, so just to check, should I also have a secondary cookie, like ID, so that I'm comparing two values?

i.e. If ID = 1 AND MD5 = xxx then do something?
0
Dave BaldwinFixer of ProblemsCommented:
No.  Just use the hash value as a lookup in the database.  Then the user table will be like this:

Unique ID
Username
Shah1 encrypted password
SALT
hash (for cookie)

Then you do SELECT * FROM Usertable WHERE hash = cookie-value

The advantage is that no direct user info is stored in the cooke.
0
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
I have an article for user authentication that should help http://www.experts-exchange.com/articles/18259/User-Log-In-Using-A-Token.html

The article includes how to hash.  

You will see that I have done more than just using the same token (hash) all the time. Instead the token changes at each log in.  This way if somebody else where to highjack, they wouldn't be able to use the token next time you log in.  Also, this remember me stuff shouldn't be used for sensitive information.  If you are directing users to view or edit sensitive info, you will want to ask for the password again.

As you probably noticed, Experts Exchange uses a persistent login.  If you did hijack my account the worst that you could do is post as me, but that would go quickly noticed.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Martin LissOlder than dirtCommented:
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
garethtnashAuthor Commented:
Hi Guys - apologies for the delayed response - this is great thank you. Scott Excellent article!

Thank you both
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.