Bob Schneider
asked on
Placement of Cookies in ASP Page
Thanks to help from this site I am ready to add "Remember Me" functionality to http://www.gtraxc.com/login.asp. I believe I know how to set and retrieve cookies. I also know not to use cookies to populate user name and password fields. I just need some assistance putting this together on a classic asp page. Here are my assumptions and questions. Please correct as necessary, and thank you in advance!
1) I assume that I collect the cookies if "Remember Me" is selected from the form submission using the following process:
2) I assume I could have the expiry be Date + 180 since it seems like its a good practice to keep them for 6 months?
3) I know that when I check for cookies, if I find that they exist and have not expired I use that to log the user in and redirect them to the necessary page. I assume that I do that at the very beginning of the asp code using code something like:
1) I assume that I collect the cookies if "Remember Me" is selected from the form submission using the following process:
If Request.Form.Item("remember-me") = "on" Then
Response.Cookies("user_name") = sUserName
Response.Cookies("password") = sPassword
Response.Cookies("password").Expires=#March 1, 2020#
End If
2) I assume I could have the expiry be Date + 180 since it seems like its a good practice to keep them for 6 months?
3) I know that when I check for cookies, if I find that they exist and have not expired I use that to log the user in and redirect them to the necessary page. I assume that I do that at the very beginning of the asp code using code something like:
sUserName = Request.Cookies("user_name")
sPassword = Request.Cookies("password")
'check for existence in the db and if found redirect to the appropriate page
ASKER
No, just checking before I implement. I will give it a go and see how it does. Thanks!
Bob, you are storing a username and password in clear text here. This is not how it is done and is a security risk for your users. Your remember me can either just store the username or a logged in session.
If you want to allow users to log in once and not have to log in again, you will store a session/token on your server or database as well as a cookie. When the user hits your page, check for the token/cookie and match that up to a cached session.
I have this detailed in my article https://www.experts-exchange.com/articles/18259/Classic-ASP-Login-System-Utilizing-a-Token.html
This may have you rethink how you handle log ins altogether. The main takeaway is to match up a cookie with a cached file or database row on the server. When you do this, if there is something that requires extra security like changing passwords, email, contact info etc, it is good to verify passwords even when 'logged in'.
If you want to allow users to log in once and not have to log in again, you will store a session/token on your server or database as well as a cookie. When the user hits your page, check for the token/cookie and match that up to a cached session.
I have this detailed in my article https://www.experts-exchange.com/articles/18259/Classic-ASP-Login-System-Utilizing-a-Token.html
This may have you rethink how you handle log ins altogether. The main takeaway is to match up a cookie with a cached file or database row on the server. When you do this, if there is something that requires extra security like changing passwords, email, contact info etc, it is good to verify passwords even when 'logged in'.
ASKER
Thanks Scott. I will revisit this. BTW, any idea why the "Remember Me" checkbox seems to be disabled? That is, I can't select it.
Make sure all the supporting javascript is getting loaded.
ASKER
I am having a hard time deciding just how to put this together. I thought I was ok until Scott suggested I go the route of using tokens, etc. If I have a traditonal submit process for logging in can someone provide a little pseudo-code as to just how the process works so that users do not need to log in each time? Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Bob, to add to what I said, instead of coding all these features on every page, or even one page that gets included in the rest, put each section in a function that you can call. Then place all the functions on a functions page that gets included. This way, when you need to log somebody out, you can pass data to a function like, logout("token", "6742756d454e16ff346aedccc 6209abb758 a9f7fffe1b 766e1d9e05 14d56aab4" ) or logout("username","scott") from anywhere on your page.
ASKER
Thanks so much everyone. Still haven't had a chance to implement it yet but hopefully very soon...
Are you having problems with your code?