Webspeed login

I

Iceman_a

New Member
I am writing a login page to verify that a user is a current user. I am writing the username and password to a cookie. At that time, if the user is a current user, then it takes them to a new page. The new page pops up but when I try to use the page, it takes me back to the login page saying that I am an invalid user. The "new page" does not have any cookie checking turned on at this point however. Any suggestions?
 
U

Unregistered

Guest
When you say new page, do you mean a completely different html page to the login page or are you using just one html file to handle the login and then display the rest of the page after the user has logged in.

If you are using two separate html files and the second file does not check the cookies then there is no possible way it will return to the login page.

The login that I use has has a login page called login.html that contains the following procedure to checlk for a valid user and then set the cookies. At the bottom of the web page I check for vNoLogin and if it is false I then use javascript to change the window.location to the next page eg default.html.

PROCEDURE output-headers:

Delete-Cookie("LoggedIn",?,?).
Delete-Cookie("UserCode",?,?).
Delete-Cookie("LanguageCode",?,?).

IF REQUEST_METHOD = "post" THEN
DO:
FIND UserInformation WHERE UserInformation.UserCode = Get-Value("UserCode")
AND UserInformation.UserPassword = ENCODE(Get-Value("Password"))
NO-LOCK NO-ERROR.

IF AVAILABLE UserInformation THEN
DO:
Set-Cookie("LoggedIn","True", ?, ?, ?, ?, ?).
Set-Cookie("UserCode", Get-Value("UserCode"), ?, ?, ?, ?, ?).
Set-Cookie("LanguageCode", UserInformation.LanguageCode, ?, ?, ?, ?, ?).
END.
ELSE
ASSIGN vNoLogin = True.
END.

END PROCEDURE.

I then have following code in an include file and included it at the top of default.html and every other web page. It checks for the cookie LoggedIn, which confirms that a valid user is logged in. If any of the pages are accessed without logging in first, it redirects to the login page.

PROCEDURE output-headers:

IF Get-Cookie("LoggedIn") <> "True" THEN
DO:
OUTPUT-HTTP-HEADER("Status","302").
OUTPUT-HTTP-HEADER("Location", HOSTURL + APPURL + "~\login.htm").
OUTPUT-HTTP-HEADER("","").
QUIT.
END.
ELSE
IF {&Admin} AND Get-Cookie("UserCode") <> "Admin" THEN
DO:
OUTPUT-HTTP-HEADER("Status","302").
OUTPUT-HTTP-HEADER("Location", HOSTURL + APPURL + "~\denied.htm").
OUTPUT-HTTP-HEADER("","").
QUIT.
END.

END PROCEDURE.
 
U

Unregistered

Guest
If you put the "username" and the "password" in a cookie any other site connection can read the this cookie and get passwords. The cookies file is a shared resource. You put your user in a dangerous position and I think he is not agree with your choice. Is a great security hole. Use instead a random ID number for each client connection and you keep a corespondance table in your database.

rares
https://sourceforge.net/projects/wsnewskit
 
C

cup99

New Member
Where in my code does it mention storing the password in a cookie.

I agree with what you say however, that cookies should not be used to store secure information. However, I totally disagree with people who go on about how others can gain access to cookies on your pc and then use information stored in them to do any number of 'harmful' things on your PC. First up you have to know what cookies are stored on the PC, you then need to know what the information in the cookie is for, if it is encoded then it is useless to most people, and if you do manage to get any cookie information, you then need to figure out whether or not it is useful for anything.

As usual in the computing industry, everyone loves to jump on a bandwagon and have massive panic attacks about security.

From what I read in computing news etc, it seems most people who deal with computing and security are far too eager to make a mountain out of a mole hill and try and scare people into believing that they are at great risk. When in reality, the risk is so miniscule it isn't worth bothering about.

Most people how try to 'hack' into PCs are so called 'Script Kiddies' how don't have a clue about hacking. All they do is download and run scripts already written by other people.

If a true hacker wants to get information from your PC, then he will regardless of how secure you think it might be.
 
U

Unregistered

Guest
I agree with cup99 like all the hype about peerless networking and app service providers, cookies are not the security risk folks think. I have never seen one implementation of a dynamic user account oriented web app that didnt use cookies for some purpose.

Now new technologies may change that. I know any app using .NET will inherntly carry a unique session.
 
You must log in or register to reply here.

Similar threads

L
  • Locked
[Stackoverflow] [Progress OpenEdge ABL] Is it possible to connect to Progress DB if you don't know any login info?
Replies
0
Views
113
lemming3k
L
J
  • Locked
[Progress News] [Progress OpenEdge ABL] Secure Managed File Transfer Solutions: Best Practices for User Authentication and Access Control
Replies
0
Views
121
John Iwuozor
J
K
  • Locked
[Progress News] [Progress OpenEdge ABL] UX Crash Course: Information Architecture
Replies
0
Views
155
Kathryn Grayson Nanz
K
K
  • Locked
[Progress News] [Progress OpenEdge ABL] UX Crash Course: Nielsen’s Usability Heuristics
Replies
0
Views
163
Kathryn Grayson Nanz
K
S
  • Locked
[Progress News] [Progress OpenEdge ABL] Content-First vs. Design-First: Which is the Better Web Design Strategy?
Replies
0
Views
1K
Suzanne Scacca
S
Top