Add "Remember me" option to Classic ASP website

Question

I need to add a "remember me" check to a Classic ASP web login form.

How I can keep users logged for weeks or months, despite the Application Pool recycling, and when users restart your browser?

The site is on a server with iis8.

Thanks.

Dangerous functionality to have especially if there is no limit on how long they can be remembered for. — user692942, Jun 12 '14 at 11:26

ScotterMonkey · Answer 1 · 2014-06-13T20:47:08.947

1

response.cookies("ID_User")=session("ID_User")
response.cookies("ID_User").expires=date()+90
response.cookies("ID_User").path="/"

response.cookies("yn_AutoSign") = yn_AutoSign  'this might equal "yes" or "no" 
response.cookies("yn_AutoSign").expires=date()+90
response.cookies("yn_AutoSign").path="/"

Oh and if you want the full sign-in that I've built for my CMS, I'm happy to give you the ASP files to do it. I went ahead and zipped em up and put them in a place you can get them from: http://www.oceanmedia.net/files/HK-sign-in.zip

edited Jun 13 '14 at 20:47

answered Jun 13 '14 at 20:29

ScotterMonkey

1,007
12
25

I don't understand the second part of this code. Why isn't the "ID_USER" part enough for keeping the ID cookie on the server for 90 days?? AND - can "date()" be replaced with "Now()"?? – TheCuBeMan Sep 28 '17 at 07:59

score 0 · Answer 2 · answered Jun 11 '14 at 19:21

0

If your 'remember me' check box is checked you can set a cookie.

<%
Response.Cookies("loggedin") = 1
Response.Cookies("loggedin").Expires = Date() + #OfDays
%>

Then to check if it the user is already logged in...

<%
loggedin = Request.Cookies("loggedin")

if loggedin = 1 then
     response.write ("User logged in already.")
else
     response.write ("User is not logged in.")
end if
%>

answered Jun 11 '14 at 19:21

StephenCollins

785
4
10

2

The cookie you have described indicates that the user is logged in, but not which user is logged. Anyway, check if a user is logged in through a cookie of this type is a serious security problem. Anyone could read and copy the cookie and replace the user's identity to access the web also. – AlvaroV Jun 12 '14 at 11:11
1

Well, what you set in the cookie is up to you, and no, cookies can't be read by other sites. – StephenCollins Jun 12 '14 at 14:45

score 0 · Accepted Answer · edited May 23 '17 at 11:52

0

I found these information that solved my doubts:

What is the best way to implement "remember me" for a website?

The definitive guide to form-based website authentication

Finally, I'll opt for doing what it says on this website: http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/

edited May 23 '17 at 11:52

Community

1
1

answered Jun 14 '14 at 12:57

AlvaroV

433
1
4
10

Add "Remember me" option to Classic ASP website

3 Answers3