hello, i have a website that uses a http://www32.brinkster.com/speirsy/web_coursework/ that uses a lofin and password feature.
I was lookin 2 implement cookies or session cookies into it, so if the user has logged in before, they dnt need 2 log in again, and was also going to incorporate a checkbox which they can click to 'remember me'

does anyone have any idea how to implement this


your help would be much appreciated



thasnk craig

Assuming that you have your pages set up to send a user back to the login page automatically if a user isn't logged in, then you would need to check for the login cookie on that page. If a loggin cookie is found, the you complete the login automatically and send the user on. If not, then you present the login form.

When a regular login happens (i.e. they enter their username/password and you process the login) then you write a cookie with the pertinent information.

Do you need specific help with one of these tasks?

Session cookies aren't going to help you. You are trying to remember the user between sessions, right?

Peter
------------------------------------------------------
Work smarter, not harder.

yeah, i want it that the user logs in, and therefore enters the site


a cookie is then created that remembers that the user has logged in , so threfore if he closes his internet browser and accesses my site again , he doesnt need 2 log in.

i need help in the whole cookie structure because i have not got a clue how 2do it


thanks

Once you validate a login, you just need to write out the cookies:

Response.Cookies("username") = sUsername
Response.Cookies("password") = sPassword

In the beginning of where the login form lives you do a check for the cookie values before showing the form...

If Request.Cookies("username") <> "" Then
    'Execute login validation here using values from cookies
    'Get values from cookies
    sUsername = Request.Cookies("username")
    sPassword = Request.Cookies("password")
    'call doLogin to validate login,
    'returns true for valid login
    If doLogin(sUsername, sPassword) Then
        Response.Redirect("index.asp")
    End If
End If

There's no Else for either If. If there's no cookie or login is bad (to catch cookie hacking) then you just continue on and show the login form.

Peter
------------------------------------------------------
Work smarter, not harder.

so when the login form is submitted it goes 2 processuser.asp and that validates the username and password and then is redirected to the main.asp which is the main part of the site.
so i should put
Response.Cookies("username") = sUsername
Response.Cookies("password") = sPassword
 on the main.asp page?

also the check for the cookies

If Request.Cookies("username") <> "" Then
    'Execute login validation here using values from cookies
    'Get values from cookies
    sUsername = Request.Cookies("username")
    sPassword = Request.Cookies("password")
    'call doLogin to validate login,
    'returns true for valid login
    If doLogin(sUsername, sPassword) Then
        Response.Redirect("index.asp")
    End If
End If


that redirects the user to main .asp

thanks

You should set the cookies on processuser.asp. You can't set them on main.asp because that's not where you are validating the login. Plus, if you have code that is checking to make sure a user is logged in, then main.asp (because the cookies aren't set yet) would kick you back to login.asp.

So you need to:
- Set cookies on processuser.asp
- Check cookies on login.asp for return user
- Check the user login status throughout the session.

How are you maintaining the user login status? Do you have (or will you have) code on all the pages that checks to make sure a user is logged in? Because you are going to use a cookie to remember their login between sessions, you could use that as the "in-session" check as well. Every page that you need to protect should call this check. Your logout page would expire the cookies so the next page fails the login check and kicks you back to login.asp.

Peter
------------------------------------------------------
Work smarter, not harder.

i dont know, i was just thinking that wen u login to the main site thats just it, but i spsoe people could jst hack into the site, so i dnt know wot 2 do. lol.


also wot code should i use 2 expire all cookies ie the logout phase.

this is quite complex

:)

Yes it can be quite complex.

If someone has been to your site before, they would know they could go to main.asp (instead of just index or login). Unless you have means of checking that someone is logged in on every secure page, you are really defeating the purpose of having a login.

Checking on each page wouldn't be that hard, all you need to do is check that there are values in the cookies for username and password. Now you should probably validate this against your username list (in the database). I would not advise that you do this each time, because that would be excessive. Instead, validate once and store a session value so it's quicker to check each time. Here's what I would do based on what you have said that you have:

login page:
- Check the cookie values for "return user" as I described above. If there are values, call the doLogin() function with the values from the cookies to validate the user against the database (this prevents cookie hacking). Function returns false for bad login.
- If not validated (doLogin = False) or no "return user" (no cookies found), show the login form.

processuser.asp
login.asp posts to this page.
- Call doLogin() function with the values entered into the form. Function returns false for bad login
Bad login:
- redirect to login form again with error message

All other ASP pages
At start of page, call checkLogin()

functions (in a common include file):

doLogin(sUsername, sPassword)
- validate the username and password against the database
if valid:
- write cookies (as described in earlier post)
- write username to the session object (Session("username") = sUsername)
- redirect to main page
if NOT valid:
- return False (need to just return false cause different pages need to handle this differently.)

checkLogin()
- Checks Session("username") for a value.
if there's a value, assume that we've completed a login process (by cookie or login form) and can access the page.
if there's NO value, we need to log in.
- Redirect to the login page

Peter
------------------------------------------------------
Work smarter, not harder.

its not workin, i have this code on the index.asp page which is the login page and can be viewed here http://www32.brinkster.com/speirsy/web_coursework/

<%
If Request.Cookies("username") <> "" Then
    'Execute login validation here using values from cookies
    'Get values from cookies
    sUsername = Request.Cookies("username")
    sPassword = Request.Cookies("password")
    'call doLogin to validate login,
    'returns true for valid login
    If doLogin(sUsername, sPassword) Then
        Response.Redirect("log.asp")''''''log.asp is the page are redirected 2 when u successfully log in''''''''
    End If
End If

%>


the values on the login form are userQuery and passwordEntry


on the user.asp page which validates if the username and password are correct when u hit login this code is thre.


<%@ Language="VBScript" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<?xml version="1.0" encoding="iso-8859-1"?>

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title></title>

<%
Response.Cookies("userQuery") = sUsername
Response.Cookies("passwordEntry") = sPassword

%>
</head>

<body>
<%
Dim xmlDocument, path, nodes
set xmlDocument = CreateObject("MSXML2.FreeThreadedDOMDocument")
xmlDocument.async = "false"
xmlDocument.load(Server.MapPath("/speirsy/db/user.xml"))
xmlDocument.setProperty "SelectionLanguage", "XPath"

path = "/records/details[username='" & Request.Form("userQuery") & "']"
set nodes = xmlDocument.selectNodes(path)

If nodes.length = 0 Then
   Response.write("Please enter a valid username and password</br></br>")
Response.write("<a href='index.asp'>Back to login page</a>")

End If

For Each Node In nodes
   For Each Node2 In Node.childNodes
    If Node2.nodeName = "password" Then
         If Node2.text = Request.Form("passwordEntry") Then
Response.Redirect "log.asp"
else
Response.Write(" please enter a valid password</br></br>")
Response.write("<a href='index.asp'>Back to login page</a>")
         End If
      End If
   Next
Nextlog.asp is the page are redirected 2 when u successfully log in
%>

</body>
</html>


any help would be benificial

thanks again


:(

Where did you put doLogin()? I don't see it anywhere except where you call it. That should live in a common include file that index.asp and user.asp both include. Then you can call it from each one file.

Peter
------------------------------------------------------
Work smarter, not harder.