| Author |
 Topic  |
|
|
StephenD
Senior Member
Australia
1044 Posts |
 Posted - 29 August 2003 : 21:41:43
|
Just revisiting my earlier request here for a method of making the login process a little bit safer when accessing from internet cafes, airports and hotels:
http://forum.snitz.com/forum/topic.asp?ARCHIVE=true&TOPIC_ID=45084
Basically, once the default page comes up, a choice of login modes can be selected ie. Normal - My Personal PC, or Secure - Internet Cafe. The secure mode would not offer the 'save password' tickbox and would set the cookie for only half an hour or an hour.
I've often worried that some of our people out on the road might forget to logout or untick the 'save password' box.
Any help would be sincerely appreciated. |
|
|
StephenD
Senior Member
Australia
1044 Posts |
Posted - 02 September 2003 : 22:40:54
|
| Anybody able to help with this? |
 |
|
|
StephenD
Senior Member
Australia
1044 Posts |
Posted - 15 September 2003 : 19:44:07
|
| Bumping up to top again... |
|
|
|
gelliott
Junior Member
USA
268 Posts |
Posted - 16 September 2003 : 11:52:35
|
Instead of re-writing the screens, why not create an additional checkbox for "secure mode". Setting this box will add a flag to the cookie. Then you simply modify the cookie functions to check for the flag - if there, it overrides the save password and default cookie lifespan settings. By changing the functions, you should solve the issue site-wide. If the only function to write the flag is within the login routine, then once logged in the flag will be left intact - the only way to unset it on that same machine would be to log out and log back in without re-checking the box.
Or, if you really want to get sophisticated, put a link in the edit profile screen to write a "home" flag to the PC. Then assume secure mode unless they have edited their profile on that PC and set the "home" flag. They could do this at work and at home, and every time they log in from a a-typical machine, they don't have to worry about it. I think this would be more difficult to manage, since it requires pre-setup by the user. Since most of your users probably won't need this feature, no need to make all of them flag their home PCs when only a few need this added security. |
* The optimist says the cup is half full. The pessimist says it's half empty. But the engineer knows the truth - the cup's design is incorrectly sized.  |
|
|
|
StephenD
Senior Member
Australia
1044 Posts |
Posted - 17 September 2003 : 00:55:27
|
| Gelliot, your first option sounds perfect. Are you able to assist with this mod or can you point me to the relevant sections of the relevant files please. |
|
|
|
gelliott
Junior Member
USA
268 Posts |
Posted - 18 September 2003 : 00:01:22
|
I'm pretty busy at work at the moment ( ), and I'm not all that familiar with cookies in the first place. I must admit, in all my modifications to the forums I run I've never played with cookies, although I've seen the functions in the code many times and they appear easy to manipulate. So take my advice with a grain of salt, or get a cookie guru to validate my theory. However, I can certainly point you to the relevant sections to get you started:
In inc_header.asp, the "save password" checkbox is around line 364. Upon submitting the login form, the form inputs are handled around line 193 in the same file (look for "Call DoCookies"). Send the DoCookies sub the results of both the SavePassword and SecureMode checkboxes.
Next, in inc_func_common.asp, the DoCookies subroutine is around line 844. Modify the definition line of the sub to accept the second passthru variable for securemode. The change the second "if" statement to prevent setting the password cookie if the securemode is active. You'll note the intCookieDuration constant in this function. This is loaded in config.asp at line 85. Because you want to use this as a variable, perhaps change the constant's name to intCookieDurationConst, and dimension a variable using the old name. On Line 86 set the variable to the constant's value. Using the old name will save re-writing many pages, but will potentially let some cookies be written if we fail to reset the value at a point that catches most pages' needs.
It'd be nice to add a line in config.asp right after it, to check the cookies and change the variable there, but at the time config.asp is included in most pages, no cookie functions have been defined. Thus some pages might load config.asp and not the inc_header.asp file and miss some of the additional functions we need (causing an error). I recommend changing it in inc_header.asp. I'm guessing here, but maybe around line 123 you could reset the value of this variable and catch 99% of the uses of this variable. I can't guarantee it, but I think that'll get most all.
From reading inc_header.asp, I think there are two possible ways to store cookie data (illustrated below), but I'm not sure what the differences are. If I had to guess, I'd say cookies set using the "session" method expire at the end of that session (short term), whereas cookies set using the Request/Response method are longer-term variables. I'd read up on the Session and Request/Response methods at sloppycode.net (one of my favorite references) to learn more them.
Reading:
result = Request.Cookies(strCookieURL & "varname")
result = Session(strCookieURL & "varname")
Writing:
Response.Cookies(strCookieURL & "varname") = var_new_value
Session(strCookieURL & "varname") = var_new_value
Last, line 402 in inc_header.asp displays the "you are logged in as" message. You might consider an IF statement to append the suffix "(secure mode)" based on the cookie value, just to confirm to your users their entry was acted on. Good luck, and be sure to let us know how it goes! I might learn something from your posts!  |
* The optimist says the cup is half full. The pessimist says it's half empty. But the engineer knows the truth - the cup's design is incorrectly sized. |
|
|
|
StephenD
Senior Member
Australia
1044 Posts |
Posted - 18 September 2003 : 00:14:53
|
| Thanks gelliott, I'll give it a shot. |
|
|
|
StephenD
Senior Member
Australia
1044 Posts |
Posted - 18 September 2003 : 02:19:36
|
OK, I've put these statements into inc_header.asp & login.asp:
" <input type=""checkbox"" name=""SecureMode"" value=""true"" tabindex=""-1"" UNCHECKED>Secure Mode - Internet Cafes, hotels etc.</font></td>" & vbNewLine & _
and these pages now look like this:
http://portal.cashbackaustralia.com/login.asp
http://portal.cashbackaustralia.com/default.asp
I also added the code in red to this section on both pages:
if RequestMethod = "POST" Then
strEncodedPassword = sha256("" & fPassword)
select case chkUser(fName, strEncodedPassword,-1)
case 1, 2, 3, 4
Call DoCookies(Request.Form("SavePassword"))
Call DoCookies(Request.Form("SecureMode"))
strLoginStatus = 1
case else
strLoginStatus = 0
end select
inc_func_common, I created a new sub:
sub doCookies(fSecureMode)
if strSetCookieToForum = 1 then
Response.Cookies(strUniqueID & "User").Path = strCookieURL
else
Response.Cookies(strUniqueID & "User").Path = "/"
end if
Response.Cookies(strUniqueID & "User")("Name") = strDBNTFUserName
Response.Cookies(strUniqueID & "User")("Pword") = strEncodedPassword
'Response.Cookies(strUniqueID & "User")("Cookies") = Request.Form("Cookies")
if fSecureMode = "true" then
Response.Cookies(strUniqueID & "User").Expires = dateAdd("d", intCookieDurationConst, strForumTimeAdjust)
end if
Session(strCookieURL & "last_here_date") = ReadLastHereDate(strDBNTFUserName)
end sub
and put this line in inc_header at line 125: Const intCookieDurationConst = 1
So far so good although when I view/edit the cookie it doesn't look any different for setting the duration to 1 day.
Is it still calling the first sub in inc_func_common? I wasn't competent enough to modify the existing docookie sub. |
Edited by - StephenD on 18 September 2003 02:21:50 |
|
|
|
StephenD
Senior Member
Australia
1044 Posts |
Posted - 18 September 2003 : 02:40:17
|
Actually, the cookies are different. Last 5 lines of each:
Normal login
1536
1872253440
29589110
27079936
29588909
vs
Secure Mode
1536
1452253440
29589110
3896737232
29588908
Does this mean the mod worked? |
Edited by - StephenD on 18 September 2003 02:41:09 |
|
|
|
gelliott
Junior Member
USA
268 Posts |
Posted - 18 September 2003 : 14:02:01
|
No, when I said "Modify the definition line of the sub to accept the second passthru variable for securemode" I meant changing the existing sub and how it is called (not adding a new sub, see why below) like this:
if RequestMethod = "POST" Then
strEncodedPassword = sha256("" & fPassword)
select case chkUser(fName, strEncodedPassword,-1)
case 1, 2, 3, 4
Call DoCookies(Request.Form("SavePassword"), Request.Form("SecureMode")))
strLoginStatus = 1
case else
strLoginStatus = 0
end select
inc_func_common:
sub doCookies(fSavePassword, fSecureMode)
if strSetCookieToForum = 1 then
Response.Cookies(strUniqueID & "User").Path = strCookieURL
else
Response.Cookies(strUniqueID & "User").Path = "/"
end if
Response.Cookies(strUniqueID & "User")("Name") = strDBNTFUserName
Response.Cookies(strUniqueID & "User")("Pword") = strEncodedPassword
'Response.Cookies(strUniqueID & "User")("Cookies") = Request.Form("Cookies")
if fSavePassword = "true" and fSecureMode = "false" then
Response.Cookies(strUniqueID & "User").Expires = dateAdd("d", intCookieDuration, strForumTimeAdjust)
end if
Response.Cookies(strUniqueID & "User")("SecureMode") = fSecureMode
if fSecureMode = "true" then
Response.Cookies(strUniqueID & "User").Expires = dateAdd("n", 30, strForumTimeAdjust) 'expires in 30 minutes
end if
Session(strCookieURL & "last_here_date") = ReadLastHereDate(strDBNTFUserName)
end sub
in config.asp around line 85:
intCookieDurationConst = 30
Dim intCookieDuration
intCookieDuration = intCookieDurationConst
inc_header at line 125:
if Request.Cookies(strUniqueID & "User")("SecureMode") = "true" then
intCookieDuration = 30/1440 '30 minutes expressed as fraction of a day
end if
The problem is that only one function can exist with the same name. You created two DoCookies functions. The software uses only the first one in the code. You have two cookies because you called the function twice.
My intent was to modify the existing DoCookies function to take an additional parameter (securemode) and to slightly change that function's behavior based on that variable. Meanwhile, I do not want to change the way intCookieDurationConst is displayed outside of config.asp because I'd never find all the places it was used. Instead, I want the ability to change the value stored under that name. Thus, I rename the original constant to something else, and create a variable which immediately is fed the constant's value (so it will always be set to something). But I want to change that setting if I discover the securemode is active while executing inc_header code, so I add an IF statement there to check it and change it. Because the original constant was in units of days, and my new desired expiration is in terms of minutes, I must convert my minutes into days (by dividing by 1440) so the fundtions will behave right. |
* The optimist says the cup is half full. The pessimist says it's half empty. But the engineer knows the truth - the cup's design is incorrectly sized. |
Edited by - gelliott on 18 September 2003 14:04:17 |
|
|
|
StephenD
Senior Member
Australia
1044 Posts |
Posted - 18 September 2003 : 22:46:19
|
Thanks Gelliott, works perfect .. logged me out after 30 mins.
BTW there was one too many ')' at the end of Call DoCookies(Request.Form("SavePassword"), Request.Form("SecureMode")))
Can you help with the final step please .. the if/then statement in inc_header line 402 "you are logged in as".
|
|
|
|
gelliott
Junior Member
USA
268 Posts |
Posted - 22 September 2003 : 12:45:44
|
Sorry it took me so long to answer, I was gone for the weekend. I'm glad it worked for you! I hope my typo didn't stump you for too long...
Let's see, just after the text "you are logged in as" in the code (inc_header.asp), the next line reads:
if strAuthType="nt" then
Just before that line, add the following:
prtSecureModeFlag = ""
if Request.Cookies(strUniqueID & "User")("SecureMode") = "true" then
prtSecureModeFlag = "<BR>(Secure Mode Active)"
end if
The next two Response.Write's print the username for various possible senarios. At the end of each of those lines, is the following
</b></font></td>" & vbNewLine & _
(Note that one of these has a ) in front of the </b>, so when you make the below change, be careful). Change the end of these two lines to look like the below:
</b>" & prtSecureModeFlag & "</font></td>" & vbNewLine & _
The above IF statement will insert our text there if SecureMode is active, but if it is not it will be blank. By storing the message in a variable, you can have a single location to change how it reads if you wish to. For instance, you may wish to also print a lock icon next to the message, or on either side of it. If so, that line within the IF statement might look like this:
prtSecureModeFlag = "<BR>" & getCurrentIcon(strIconLock,"Secure Mode Active") & "(Secure Mode Active)" & getCurrentIcon(strIconLock,"Secure Mode Active")
If you later decide you don't like this look, it's easy to change back.
|
* The optimist says the cup is half full. The pessimist says it's half empty. But the engineer knows the truth - the cup's design is incorrectly sized. |
|
|
|
StephenD
Senior Member
Australia
1044 Posts |
Posted - 22 September 2003 : 21:50:47
|
| Thanks Gelliott for all your help on this mod. I couldn't get the last line to work with the icons (wrong number of arguments .. getCurrentIcon) but the text only version works great. |
|
|
|
gelliott
Junior Member
USA
268 Posts |
Posted - 23 September 2003 : 13:16:40
|
Try the following (I was assuming that last argument was optional):
getCurrentIcon(strIconLock,"Secure Mode Active","") |
* The optimist says the cup is half full. The pessimist says it's half empty. But the engineer knows the truth - the cup's design is incorrectly sized. |
|
|
|
StephenD
Senior Member
Australia
1044 Posts |
Posted - 24 September 2003 : 02:33:30
|
OK, after corresponding with Gelliott, I found the cookies were not behaving the way I wanted them to.
ie.
Both boxes unticked - cookie to expire at end of session.
Save password ticked - cookie to expire in 30 days.
Secure mode ticked - cookie to expire in 30 mins.
Both boxes ticked - cookie to expire in 30 mins.
I seem to have it right now with the following code changes:
Config.asp
Edited it back to original ie
Const intCookieDuration = 30
inc_header.asp
removed this block:
if Request.Cookies(strUniqueID & "User")("SecureMode") = "true" then
intCookieDuration = 30/1440 '30 minutes expressed as fraction of a day
end if
Changed this bit:
select case Request.Form("Method_Type")
case "login"
strEncodedPassword = sha256("" & Request.Form("Password"))
select case chkUser(strDBNTFUserName, strEncodedPassword,-1)
case 1, 2, 3, 4
Call DoCookies(Request.Form("SavePassword"))
Call DoCookies2(Request.Form("SecureMode"))
strLoginStatus = 1
case else
strLoginStatus = 0
end select
case "logout"
Call ClearCookies()
end select
inc_func_common.asp
Put the original cookie sub back in and made a new docookie2 sub:
sub doCookies2(fSecureMode)
if strSetCookieToForum = 1 then
Response.Cookies(strUniqueID & "User").Path = strCookieURL
else
Response.Cookies(strUniqueID & "User").Path = "/"
end if
Response.Cookies(strUniqueID & "User")("Name") = strDBNTFUserName
Response.Cookies(strUniqueID & "User")("Pword") = strEncodedPassword
'Response.Cookies(strUniqueID & "User")("Cookies") = Request.Form("Cookies")
Response.Cookies(strUniqueID & "User")("SecureMode") = fSecureMode
if fSecureMode = "true" then
Response.Cookies(strUniqueID & "User").Expires = dateAdd("n", 30, strForumTimeAdjust) 'expires in 30 minutes
end if
Session(strCookieURL & "last_here_date") = ReadLastHereDate(strDBNTFUserName)
end sub
This seems to be working for me now. A special thanks to Gelliott for trouble-shooting this for me.
|
|
|
| |
Topic |
|
|
|
Topic Locked
