Login | Register   
LinkedIn
Google+
Twitter
RSS Feed
Download our iPhone app
TODAY'S HEADLINES  |   ARTICLE ARCHIVE  |   FORUMS  |   TIP BANK
Browse DevX
Sign up for e-mail newsletters from DevX


advertisement
 

Implementing a Simple Login State Mechanism  : Page 4

Enforcing authentication via an ASP page requires you to maintain login state.


advertisement

Proceed with Caution
Use this technique with caution. A cookie is a very public piece of information. Not only can it be viewed on the machine (if you know where to look), it is also visible via the URL—not the one on the browser, but via URL sniffer programs and log analysis programs. I was shocked to find out that a Web log analysis program such as WebTrends could figure out the names and values of cookies by reading the log files. Placing sensitive information (like passwords) within cookies so users don't have to keep retyping them, makes them very public pieces of information.

A way to temper this drawback is to make your cookie names and values as cryptic as possible. For example, instead of using a cookie called "LoginSuccessful" with a value of "True" to signify successful log in, call your cookie "A8De0Te987E", with a value of "d9d76eow987" to signify successful log in. The strings do not mean anything, I just randomly typed on my keyboard to get those values. You can use named constants to make your code easier to read and maintain. Instead of writing the two sections of code like this:
Section A:


' - In login.asp
' - Log in has been successful, place cookie now
Response.Cookies("LoginSuccessful") = "True"


Section B:


' - In other pages, check for the cookie
If Request.Cookies("LoginSuccessful") <>  "True" Then
	Response.Redirect "login.asp"
	' - or in Windows 2000, this is better code
	' - Server.Transfer "login.asp"
End if
...
... The rest of the page's code here
...

change it to this:

Section A:


' - In login.asp
' - Log in has been successful, place cookie now
Response.Cookies("A8De0Te987E") = "d9d76eow987"

Section B:


' - In other pages, check for the cookie
If Request.Cookies("A8De0Te987E") <>  "d9d76eow987" Then
	Response.Redirect "login.asp"
	' - or in Windows 2000, this is better code
	' - Server.Transfer "login.asp"
End if
...
... The rest of the page's code here
...

To help you maintain your code and make it easier to read, modify the new code above to: Section A:


' - In some common include file; so it is visible to all pages
CONST LOGIN_SUCCESSFUL = "A8De0Te987E"
CONST LOGIN_SUCCESSFUL_TRUE = d9d76eow987

Section A:


' - In login.asp
 ' - Log in has been successful, place cookie now
Response.Cookies(LOGIN_SUCCESSFUL)= LOGIN_SUCCESSFUL_TRUE

Section B:



' - In other pages, check for the cookie
If Request. Cookies(LOGIN_SUCCESSFUL)<> LOGIN_SUCCESSFUL_TRUE Then
	Response.Redirect "login.asp"
	' - or in Windows 2000, this is better code
	' - Server.Transfer "login.asp"
End if
...
... The rest of the page's code here
...

You can also make the setting and the checking for the login state modular by placing them within subroutine calls. This allows them to be called from any page that requires them. And instead of maintaining several copies of the same code, you can make function calls and maintain code in a single location. Let's gather all the necessary code and place it in a new ASP page called "IncLoginStateMechanism.asp". This is how it will look:


<%
' - File: IncLoginStateMechanism.asp
' - In some common include file; so it is visible to all pages
CONST LOGIN_SUCCESSFUL = "A8De0Te987E"
CONST LOGIN_SUCCESSFUL_TRUE = d9d76eow987

Sub SetLoginStateSuccessful()
Response.Cookies(LOGIN_SUCCESSFUL)= LOGIN_SUCCESSFUL_TRUE
End Sub

Sub VerifyLogin()
If Request. Cookies(LOGIN_SUCCESSFUL)<> LOGIN_SUCCESSFUL_TRUE Then
	Response.Redirect "login.asp"
	' - or in Windows 2000, this is better code
	' - Server.Transfer "login.asp"
End if
End Sub
%>

All pages can then include the new IncLoginStateMechanism.asp page to be able to use its constants and subroutines. The login page, on authentication, calls the SetLoginStateSuccessful routine


' - In login.asp
 ' - Log in has been successful, place cookie now
SetLoginStateSuccessful

All the other pages call the VerifyLogin routine


' - In PageA.asp
' - Verify that Log in has been successful
VerifyLogin
...
... The rest of the page's code here
...

I assume you know how to include the common file within the other pages. You use the <!-- #include file="" --> directive:


<!-- #include file="IncLoginStateMechanism.asp" -->

Remember to use the include directive within an HTML portion of the Asp page, and not within the Asp <% and %> tags.

I hope this gives you some ideas about managing login state information. If you have information about other ways you have approached this problem, or about how paranoid you have been in building your applications, drop me a line. I would love to hear from you.



Rama Ramachandran is Vice President of Technology with Imperium Solutions and is a Microsoft Certified Solution Developer and Site Builder. He has extensive experience with building database systems and has co-authored several books including Professional Visual InterDev 6 Programming and Professional Data Access (Wrox). Rama also teaches Visual Basic and Web Development at Fairfield University and University of Connecticut.
Comment and Contribute

 

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Sitemap
Thanks for your registration, follow us on our social networks to keep up-to-date