Help - Secure page by remembering user?

[Guest]

Please help.

After a number of wrong turns and experiments I need advice on login
management system to secure our web pages without inconveniencing our
visitors or our internal staff.

What I need:

A system whereby the user only has to register ONCE and he will have
automatic entry to ANY page without havinto to RE-LOGIN even if he comes in
two weeks later or comes directly to that page via an email link.

This scenario seems built on the Amazon model of the 'gold box' which
automatically remembers you through cookies.

If the user does not have cookies he has to re-login.

Can anyone help me identify a 3rd party product that does this or a route to
achieve this in my code....

Many thanks
Jason

 

[Bob Lehmann]

You would just have to use cookies to remember them.

Keep in mind though, that anyone who uses that computer will have access to
the pages also.

Bob Lehmann

 

[Steven Burn]

As has been mentioned already, you'd most likely need to use cookies for
this.

However, what you are wanting to do is not reccomended as it would be a huge
security risk (partially due to the fact, as Bob mentioned, everyone that
used the users computer, would have access to the pages aswell).

Out of interest, why not just have them login each time they want to access
the secure area? (the pages that you want protected could easily check to
make sure they are permitted (either via a session ID, or a cookie) and if
permitted, allow them access... if not, direct them to the login page)

--

Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

 

[Guest]

Thanks,Yip, I guessed cookies was the answer....but what about these curve
balls:

1. Cookies off....will the user then be presented with login screen...I am
only interested in email - not password.

2. Where does one exactly establish the cookies in the script...is this the
same as using Session Variables? But I thought
session variables were time-specific ie they only lasted by default for 20
minutes for a user.....

3. I remember testing cookies a while back in my code and I found it
frustrating that I had to delete cookies off internet options
whenever I changed some code....is there a better way to test the
applications, without cookies becoming a liability during the testing
process?

Really appeciate advice...

- Jason

 

[Guest]

Hi Steven - many thanks for response....

This the the crux of the problem/challenge:

1. I do not need the pages to be pasword protected...only USERname or email
address protected....

2. It is not critically important to have a 'heavy' layer of protection over
the pages...we are only concerned with making sure we get some initial
personal
data before the user views any pages and then allow hime unrestricted access
across the site.

3. I am not sure if cookies will mess up eg Aol users who all use the same
IP...probably a stupid question as a cookie records a user browser ID right.
nothing to do with IP?

4. Our internal yacht brokers would have a spasm if customers had to log in
to each page after they sent them a web link...they want easy access for
users....

5. Although I am concerned with a two users using the same machine....I
think this is an acceptable risk....

Could you offer any more pointers or advice relating to the above...

Many thanks
Jason

 

[Guest]

ps: Maybe I misintrepted your suggestion.

Scenario

Secure Page with a script that checks to see if a session or cookie is
present for that user.....

Yes - send him directly to page without logging in
No - send him to Username login screen (ie Prompt for email only)

Correct?

But what about:

1. Expiry date of session variables - easy to change, like cookies?
2. If one uses cookies or session variables are you not essentially
compromising security if two users are using the same machine as mentioned
in previous posts?
3. Which is better Sessions or cookies? one is client side and one is server
side.....I see this suggested client side solution....

http://www.com-it.net.au/tutorials/jstut/JavaScript/cookie5.htm

- Jason

 

[Steven Burn]

The only way I know of that you could do what you are wanting is via
cookies, and to answer one of the questions you put to Bob (Q1), if the user
has cookies disabled..... they're not going to be able to login, period.
Thus you'd need to ensure your visitors had them enabled.

--

Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

 

[Steven Burn]

Inline.......

ps: Maybe I misintrepted your suggestion.

Scenario

Secure Page with a script that checks to see if a session or cookie is
present for that user.....

Yes - send him directly to page without logging in
No - send him to Username login screen (ie Prompt for email only)

Correct?

</snip>

Yes

But what about:

1. Expiry date of session variables - easy to change, like cookies?

</snip>

Session timeouts can be controlled either directly from the server, or in
the page(s) that uses them, so your not lumbered with the default 20 mins or
whatever.

2. If one uses cookies or session variables are you not essentially
compromising security if two users are using the same machine as mentioned
in previous posts?

<snip>

Not if you assign them based on session ID's

Place the following into a .asp file and open the page in 2 browser windows.
You'll notice they have different session ID's

<%
Response.Write Session.SessionID
%>

3. Which is better Sessions or cookies? one is client side and one is server
side.....I see this suggested client side solution....

<snip>

I personally hate using cookies, so tend to stick with sessions......
(though even sessions require cookies be enabled)

--

Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

 

[Guest]

But could you not redirect them to the login page if cookies were disabled
and default to basic login in via asp checking user name against the
database?

 

[Steven Burn]

Inline ......

Thanks,Yip, I guessed cookies was the answer....but what about these curve
balls:

1. Cookies off....will the user then be presented with login screen...I am
only interested in email - not password.

<snip>

If cookies are disabled, they'll not be able to login.... period.

2. Where does one exactly establish the cookies in the script...is this the
same as using Session Variables?

</snip>

Beginning of your page......

But I thought session variables were time-specific ie they only lasted by default for 20
minutes for a user.....

<snip>

You can change this in either;

1. The server settings
2. The page(s) that uses them

3. I remember testing cookies a while back in my code and I found it
frustrating that I had to delete cookies off internet options
whenever I changed some code....is there a better way to test the
applications, without cookies becoming a liability during the testing
process?

I personally detest cookies as they're a royal pain in the backside but to
answer your question.... No.

--

Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

 

[Steven Burn]

The problem your going to have there is..... if they've got cookies
disabled, they're going to be going in a continuous loop

What you may want to do is use cookies, have them login if the cookie
doesn't exist and assign it a silly expiry date (such as 2204 so it's valid
for the next 200 years), then when your checking for the existence of the
cookie, grab the username from it, and use an auto-submit login page to
prevent them logging in.

i.e.

1. Check for cookie

1a. if doesn't exist, go to 2
1b. If exist, go to 3

2. Redirect to login page, have them login and save a cookie for them
(remembering to set the expiry date some silly time in the future)

3. Grab username/e-mail whatever, from the cookie and response.transfer to
login.asp?user=<the username>

No idea if that would work mind you, but might want to consider it as
atleast then, it would save them constantly loggin in

--

Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

 

[Guest]

Thanks, what if the user leaves the site without physically logging
out...does one need to somehow abandon the session...or is this
automatically achieved on exit?

Finally, does one need to comparmentailze any of the session initializing in
the global.asa or is better to do this on the secured page itself?

 

[Phillip Windell]

Session Cookies can be used. They are separate and distinct from the others
and they are not "turned off" when the others are turned off. They also do
not pose the same security risk because they are not written to the drive
and are only stored in memory. They are tied to the SessionID and cannot be
used apart from the Session they belong to even if both the server and the
site are still that same server and site.

 

[Guest]

I thought if cookies were turned off it meant 'Session cookies' are also
turned off?

- Jason

 

[Phillip Windell]

No. They are a separate entity altoghther.

If you go into the Privacy settings of IE and click the Advanced Button you
will see that Session Cookies are listed separately at the bottom and can be
set to allow them even it all the others are denied.

 

[Phillip Windell]

....in addition,...sometime when you read about them in some materials they
are called "Temporary Cookies" as opposed to Cookies that are written to the
HD which are considered "permanent". They are kept in the browser's
memory space so if you close the browser they die,..then if you re-open the
browser and go back to the same site it starts a new Session because it can
nolonger find the Session Cookie in memory.

A new Session is still created even if Session Cookies aren't "allowed" by
the user,...it is just that it creates a new Session for every page they go
to because there is no Session Cookie, so it keeps starting a new Session.

 

[Guest]

Got it...I have just spent the last 3 days cutting my teeth on tmp cookies
and permanent cookies. I followed Aaron's advice and used Browser Hawk...

I am testing for the following condition: Permanent and Session Cookies must
be enabled...otherwise the user must login in every time to see the page.

I think this is a worthwhile sacrifice....here is the Bh starter code for
those interested which incorporates my cookie checks and database inserts
etc:


<%
set bh = Server.CreateObject("cyScape.browserObj")
checkType = 3

if checkType = 3 then
bh.SetExtProperties "cookie_both,referrer"
elseif checkType = 2 then
bh.SetExtProperties "cookie_sess"
elseif checkType = 1 then
bh.SetExtProperties "cookie_perm"
else
response.write "<html>bad checkType specified</html>"
response.end
end if
bh.GetExtPropertiesEx

'--------------------------------------------
'COOKIES= DISABLED/TURNED OFF
'---------------------------------------------

'//response.end
response.write bh.cookies
response.write "<br>"
if not bh.cookies then %>
<p><ul><b>Your browser does not support cookies.</b></ul>
<%
'//FromURL = Bh.Referrer
response.redirect "login.asp?CookieChk=Unsupported" '//&FromURL=" &
FromURL



else

'---------------------------------------------
'COOKIES= TRUE or Logged in WITHOUT cookies = TRUE
'---------------------------------------------
if bh.cookiesEnabled or Request("vID") then '//cookies enabled

u_CurrentURL = Request.ServerVariables("URL")
If u_CurrentURL ="" then
u_CurrentURL ="unknown"
End If
u_VisitorIP = request.ServerVariables("remote_addr")
If u_VisitorIP ="" then
u_VisitorIP ="unknown"
End If
u_Referer = request.ServerVariables("HTTP_REFERER")
If u_Referer ="" then
u_Referer ="unknown"
End If
u_Browser = request.ServerVariables("HTTP_USER_AGENT")
If u_Browser ="" then
u_Browser ="unknown"
End If

'---------------------------------------------
'Check if Cookie there....
'---------------------------------------------
If request.Cookies("Prospect")("u_id") or Request("vID") Then
'
u_id= Request.Cookies("Prospect")("u_id")
u_FromURL=bh.Referrer
If u_FromURL="" then
u_FromURL=Request.servervariables("Remote_Host")
If u_FromURL="" then
u_FromURL="Unknown"
End If
End If

'//Response.end
u_CurrentURL=request.servervariables("URL")
Dim oCmd, oReturn, oConn
set oConn = GetConnection()
'//Set oCmd = GetStoredProcedure(oConn,"sp_adduser1")


If Request("vID") <> "" then
CookieBln=0
'//retrieve user database details as cookies not present
u_id=Request("vID")
u_FromURL=Request("u_FromURL")
u_CurrentURL=Request.servervariables("URL")
'


Set oCmd = GetStoredProcedure(oConn,"sp_GetUser")
oCmd.Parameters.append oCmd.CreateParameter("u_id", adInteger,
adParamInput,10,u_id)
set oRS = oCmd.execute()

if oRS.eof then
Response.Write("You do not appear to be in our database")
else
u_name=escapeString(oRS.fields("u_name"))
response.write u_name
'//response.end

end if
else
CookieBln=1
u_id = Request.Cookies("Prospect")("u_id")
u_name= Request.Cookies("Prospect")("u_name")

'//u_VisitorIP= Request.Cookies("Prospect")("VisitorIP")
End If

Response.write "<p>CookieBln= " & CookieBln & "<p>"
Response.write "u_FromURL: " & u_FromURL & "<br>"
Response.write "u_CurrentURL: " & u_CurrentURL & "<BR>"
Response.write "Prospect expiry date: " & ExpDate & "<br>"
Response.write "Prospect ID: " & u_id & "<br>"
Response.write "Prospect USERNAME: " & u_name & "<br>"
Response.write "Prospect VisitorIP: " & u_VisitorIP & "<br>"

'//response.end
'//INSERT INTO USERPATH
Set oCmd = GetStoredProcedure(oConn,"spr_addUserPath")
oCmd.Parameters.append oCmd.CreateParameter("u_id", adInteger,
adParamInput,4,u_id)
oCmd.Parameters.append oCmd.CreateParameter(" u_name", adVarChar,
adParamInput,70, u_name)
oCmd.Parameters.append oCmd.CreateParameter("UserIP", adVarChar,
adParamInput,20, u_VisitorIP)
oCmd.Parameters.append oCmd.CreateParameter("URLFrom", adVarChar,
adParamInput,100,u_FromURL)
oCmd.Parameters.append oCmd.CreateParameter("URLCurrent", adVarChar,
adParamInput,100,u_CurrentURL)
oCmd.Parameters.append oCmd.CreateParameter("u_browser", adVarChar,
adParamInput,100,u_browser)
oCmd.Parameters.append oCmd.CreateParameter("u_Cookies", adInteger,
adParamInput,4,CookieBln)
'//oCmd.Parameters.append oCmd.CreateParameter("u_OS", adVarChar,
adParamInput,100,u_OS)
'//set oReturn = oCmd.CreateParameter("u_id", adInteger,
adParamOutput)
'//oCmd.Parameters.append oReturn
oCmd.execute()
Else
'---------------------------------------------
'..COOKIE EMPTY
'---------------------------------------------
Response.write "<br><br>CookieID should not be present..<br>"


u_FromURL=bh.Referrer
u_CurrentURL=Request.Servervariables("URL")
response.write u_CurrentURL
'response.end
'If u_FromURL="" then
'u_FromURL="Unknown"
'End IF
'response.write u_FromURL
'response.end
Response.redirect "logon.asp?CookieChk=Deleted&u_FromURL=" &
u_FromURL & "&u_CurrentURL=" & u_CurrentURL

End If
else
'---------------------------------------------
'SUPPORTS COOKIES BUT Disabled
'---------------------------------------------
u_FromURL=bh.Referrer
If u_FromURL="" then
u_FromURL=Request.servervariables("Remote_Host")
If u_FromURL="" then
u_FromURL="Unknown"
End If
End If
If u_CurrentURL="" then
u_CurrentURL=Request.servervariables("URL")
If u_CurrentURL="" then
u_CurrentURL="Unknown"
End If
End If
'response.write u_FromURL
'response.write "<b>Cookies disabled<br>"
'//response.write "logon.asp?CookieChk=Disabled&FromURL=" & u_FromURL
response.redirect "logon.asp?CookieChk=Disabled&u_FromURL=" &
u_FromURL & "&u_CurrentURL=" & u_CurrentURL
'//response.end
end if
End If
%>

...in addition,...sometime when you read about them in some materials they
are called "Temporary Cookies" as opposed to Cookies that are written to the
HD which are considered "permanent". They are kept in the browser's
memory space so if you close the browser they die,..then if you re-open the
browser and go back to the same site it starts a new Session because it can
nolonger find the Session Cookie in memory.

A new Session is still created even if Session Cookies aren't "allowed" by
the user,...it is just that it creates a new Session for every page they go
to because there is no Session Cookie, so it keeps starting a new Session.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

I thought if cookies were turned off it meant 'Session cookies' are also
turned off?

- Jason

also

do cannot
be