We help IT Professionals succeed at work.

Placement of Cookies in ASP Page

Bob Schneider
on
Medium Priority
107 Views
Last Modified: 2019-11-24
Thanks to help from this site I am ready to add "Remember Me" functionality to http://www.gtraxc.com/login.asp.  I believe I know how to set and retrieve cookies.  I also know not to use cookies to populate user name and password fields.  I just need some assistance putting this together on a classic asp page.  Here are my assumptions and questions.  Please correct as necessary, and thank you in advance!

1) I assume that I collect the cookies if "Remember Me" is selected from the form submission using the following process:
            If Request.Form.Item("remember-me") = "on" Then
                Response.Cookies("user_name") = sUserName
                Response.Cookies("password") = sPassword
                Response.Cookies("password").Expires=#March 1, 2020#
            End If

Open in new window


2) I assume I could have the expiry be Date + 180 since it seems like its a good practice to keep them for 6 months?

3) I know that when I check for cookies, if I find that they exist and have not expired I use that to log the user in and redirect them to the necessary page.  I assume that I do that at the very beginning of the asp code using code something like:
        sUserName = Request.Cookies("user_name")
       sPassword = Request.Cookies("password")
      'check for existence in the db and if found redirect to the appropriate page

Open in new window

Comment
Watch Question

Paul MacDonaldDirector, Information Systems
CERTIFIED EXPERT

Commented:
This looks correct.

Are you having problems with your code?
Bob SchneiderCo-Owner

Author

Commented:
No, just checking before I implement.  I will give it a go and see how it does.  Thanks!
Scott FellDeveloper & EE Moderator
CERTIFIED EXPERT
Fellow
Most Valuable Expert 2013

Commented:
Bob, you are storing a username and password in clear text here.  This is not how it is done and is a security risk for your users. Your remember me can either just store the username or a logged in session.

If you want to allow users to log in once and not have to log in again, you will store a session/token on your server or database as well as a cookie.  When the user hits your page, check for the token/cookie and match that up to a cached session.

I have this detailed in my article https://www.experts-exchange.com/articles/18259/Classic-ASP-Login-System-Utilizing-a-Token.html

This may have you rethink how you handle log ins altogether. The main takeaway is to match up a cookie with a cached file or database row on the server.  When you do this, if there is something that requires extra security like changing passwords, email, contact info etc, it is good to verify passwords even when 'logged in'.
Bob SchneiderCo-Owner

Author

Commented:
Thanks Scott.  I will revisit this.  BTW, any idea why the "Remember Me" checkbox seems to be disabled?  That is, I can't select it.
Scott FellDeveloper & EE Moderator
CERTIFIED EXPERT
Fellow
Most Valuable Expert 2013

Commented:
Make sure all the supporting javascript is getting loaded.
Bob SchneiderCo-Owner

Author

Commented:
I am having a hard time deciding just how to put this together.  I thought I was ok until Scott suggested I go the route of using tokens, etc.  If I have a traditonal submit process for logging in can someone provide a little pseudo-code as to just how the process works so that users do not need to log in each time?  Thanks!
Developer & EE Moderator
CERTIFIED EXPERT
Fellow
Most Valuable Expert 2013
Commented:
Bob, I have a lot of code in my article.

In ultra simple terms, you are going to drop a cookie to the user. That cookie can be a hash of say the username & timestamp & secret_code & something_random.

In your database, you will have a table that journals active log ins.  Fields perhaps for row_id,username, token, date_logged_in, date_expires, date_logged_out  where default for date_logged_in is set to getdate(), date_logged_out is null.  

When a user logs in, they present their username and password as usual. Your code does a look up and verifies the combo is correct. If it is, then you generate your token (6742756d454e16ff346aedccc6209abb758a9f7fffe1b766e1d9e0514d56aab4).  

Next, add a new row to the database with the username, token and the date_expires.  You don't have to add the date_logged_in because that will default to getdate().  date_expires can be whatever you want to default it to, 1 day after log in, 1 month, 1 year etc.  

Before adding the row, look to see if the token is already being used. If it is set the date_logged_out to the current timetamp, then add the new row.

Finally, drop the token as a cookie to the user.

On your protected pages, read the cookie containing the token.  Look up the token in your active log in table.  Check to see if the current date is within the date_expires AND date_logged_out is NULL to allow them access. If the current date is after the date_expires then set the date logged out to the current timestamp and force a log in.

If somebody does a password reset, make sure to log out their token.

You may want to run a nightly script to delete expired tokens from the database or just expired for more than x days to keep the db table small.

If security is something you want to track, I have added another table that tracks logins. For each page loaded, track the username, token used, ip, and page. That may be overkill for many projects but if money is involved or tracking what employees are doing on the site, it can come in handy.
Scott FellDeveloper & EE Moderator
CERTIFIED EXPERT
Fellow
Most Valuable Expert 2013

Commented:
Bob, to add to what I said, instead of coding all these features on every page, or even one page that gets included in the rest, put each section in a function that you can call. Then place all the functions on a functions page that gets included. This way, when you need to log somebody out, you can pass data to a function like, logout("token", "6742756d454e16ff346aedccc6209abb758a9f7fffe1b766e1d9e0514d56aab4") or logout("username","scott") from anywhere on your page.
Bob SchneiderCo-Owner

Author

Commented:
Thanks so much everyone.  Still haven't had a chance to implement it yet but hopefully very soon...