Session Variables....

courtjester · #1 Jun 24th, 2004, 22:42

Hello there. I have a few questions about Session Variables... Is it ok to create A user's Area with them? Is it the best/only way? Please let me know. Using them is easy, just don't know if it's the best thing to do.

Webforumz Staff · #2 Jun 25th, 2004, 04:22

IMO sessions are fine, or a cookie. I usually use cookies out of habit because back when I started sessions were seen as evil but when later versions of ASP came out they fixed all the problems with them.

courtjester · #3 Jun 25th, 2004, 07:01

Well, here's what I have created... www.haeglodesigns.com Go to the log-in portion of my site... It's located near the bottom of the page. Here's the Info. Username: guest Password: dojo123
Please make sure that what you enter is lowercase or it will not work properly (I am working on that...)

Smokie · #4 Jun 25th, 2004, 08:16

Lookin good!

You could easily convert the form values (username/password) to lower case defore checking them against your database, use the LCase() function.

Rob · #5 Jun 26th, 2004, 09:09

May I point out, that username / password pairs should not really be stored in the session, or a cookie.

Its a far from impossible task to open up a cookie in notepad to grab information.

I would definitly consider using a one-way hashing algorythm to store passwords in a database. I would then store an ENCRYPTED username / password in the session (or cookie).... each page will decode this info, make a one way hash from the password and compare it to the hash in the Database.

This way is secure and as you are dealing with clients personal information, that they entrust you with, you should never store (or send) this info across a network in plain text.
Use:-
enctype="multipart/form-data"
and the POST method for forms that send user/pass data across the net.

Hope this helps.

Rob

(BTW: I do have a vbscript class that does one way hashing and encrypt / decrypt... let me know anyone who wants it.)

courtjester · #6 Jun 26th, 2004, 22:57

Cool

. Well if you check out my Personal Information section you will see that it doesn't have any real personal info on the page. Just the town and the web adress. Mainly because I didn't know how to encrypt data. Now I am going to have to play around with that stuff :O. Thanks again Rob.

Rob · #7 Jun 26th, 2004, 22:58

Maybe this class will help you with hashes, decode & encode:-

Code: Select all

<%
'##  Exposes one Public Property :- BaseString
'##  This is first populated with the string to encode, decode or hash
'##  Once the baseString is set, you may call one of the 3 methods:-
'##  GetSHA256Hash()
'##  EncodeBase64()
'##  DecodeBAse64()

Class EncryptionHelper
  Private m_lOnBits(30)
  Private m_l2Power(30)
  Private K(63)
  Public BaseString
  
  Private BITS_TO_A_BYTE, BYTES_TO_A_WORD, BITS_TO_A_WORD
  
  Private Sub Class_Initialize()
	BITS_TO_A_BYTE = 8
	BYTES_TO_A_WORD = 4
	BITS_TO_A_WORD = 32

	m_lOnBits(0) = CLng(1)
	m_lOnBits(1) = CLng(3)
	m_lOnBits(2) = CLng(7)
	m_lOnBits(3) = CLng(15)
	m_lOnBits(4) = CLng(31)
	m_lOnBits(5) = CLng(63)
	m_lOnBits(6) = CLng(127)
	m_lOnBits(7) = CLng(255)
	m_lOnBits(8) = CLng(511)
	m_lOnBits(9) = CLng(1023)
	m_lOnBits(10) = CLng(2047)
	m_lOnBits(11) = CLng(4095)
	m_lOnBits(12) = CLng(8191)
	m_lOnBits(13) = CLng(16383)
	m_lOnBits(14) = CLng(32767)
	m_lOnBits(15) = CLng(65535)
	m_lOnBits(16) = CLng(131071)
	m_lOnBits(17) = CLng(262143)
	m_lOnBits(18) = CLng(524287)
	m_lOnBits(19) = CLng(1048575)
	m_lOnBits(20) = CLng(2097151)
	m_lOnBits(21) = CLng(4194303)
	m_lOnBits(22) = CLng(8388607)
	m_lOnBits(23) = CLng(16777215)
	m_lOnBits(24) = CLng(33554431)
	m_lOnBits(25) = CLng(67108863)
	m_lOnBits(26) = CLng(134217727)
	m_lOnBits(27) = CLng(268435455)
	m_lOnBits(28) = CLng(536870911)
	m_lOnBits(29) = CLng(1073741823)
	m_lOnBits(30) = CLng(2147483647)

	m_l2Power(0) = CLng(1)
	m_l2Power(1) = CLng(2)
	m_l2Power(2) = CLng(4)
	m_l2Power(3) = CLng(8)
	m_l2Power(4) = CLng(16)
	m_l2Power(5) = CLng(32)
	m_l2Power(6) = CLng(64)
	m_l2Power(7) = CLng(128)
	m_l2Power(8) = CLng(256)
	m_l2Power(9) = CLng(512)
	m_l2Power(10) = CLng(1024)
	m_l2Power(11) = CLng(2048)
	m_l2Power(12) = CLng(4096)
	m_l2Power(13) = CLng(8192)
	m_l2Power(14) = CLng(16384)
	m_l2Power(15) = CLng(32768)
	m_l2Power(16) = CLng(65536)
	m_l2Power(17) = CLng(131072)
	m_l2Power(18) = CLng(262144)
	m_l2Power(19) = CLng(524288)
	m_l2Power(20) = CLng(1048576)
	m_l2Power(21) = CLng(2097152)
	m_l2Power(22) = CLng(4194304)
	m_l2Power(23) = CLng(8388608)
	m_l2Power(24) = CLng(16777216)
	m_l2Power(25) = CLng(33554432)
	m_l2Power(26) = CLng(67108864)
	m_l2Power(27) = CLng(134217728)
	m_l2Power(28) = CLng(268435456)
	m_l2Power(29) = CLng(536870912)
	m_l2Power(30) = CLng(1073741824)
    
	K(0) = &H428A2F98
	K(1) = &H71374491
	K(2) = &HB5C0FBCF
	K(3) = &HE9B5DBA5
	K(4) = &H3956C25B
	K(5) = &H59F111F1
	K(6) = &H923F82A4
	K(7) = &HAB1C5ED5
	K(8) = &HD807AA98
	K(9) = &H12835B01
	K(10) = &H243185BE
	K(11) = &H550C7DC3
	K(12) = &H72BE5D74
	K(13) = &H80DEB1FE
	K(14) = &H9BDC06A7
	K(15) = &HC19BF174
	K(16) = &HE49B69C1
	K(17) = &HEFBE4786
	K(18) = &HFC19DC6
	K(19) = &H240CA1CC
	K(20) = &H2DE92C6F
	K(21) = &H4A7484AA
	K(22) = &H5CB0A9DC
	K(23) = &H76F988DA
	K(24) = &H983E5152
	K(25) = &HA831C66D
	K(26) = &HB00327C8
	K(27) = &HBF597FC7
	K(28) = &HC6E00BF3
	K(29) = &HD5A79147
	K(30) = &H6CA6351
	K(31) = &H14292967
	K(32) = &H27B70A85
	K(33) = &H2E1B2138
	K(34) = &H4D2C6DFC
	K(35) = &H53380D13
	K(36) = &H650A7354
	K(37) = &H766A0ABB
	K(38) = &H81C2C92E
	K(39) = &H92722C85
	K(40) = &HA2BFE8A1
	K(41) = &HA81A664B
	K(42) = &HC24B8B70
	K(43) = &HC76C51A3
	K(44) = &HD192E819
	K(45) = &HD6990624
	K(46) = &HF40E3585
	K(47) = &H106AA070
	K(48) = &H19A4C116
	K(49) = &H1E376C08
	K(50) = &H2748774C
	K(51) = &H34B0BCB5
	K(52) = &H391C0CB3
	K(53) = &H4ED8AA4A
	K(54) = &H5B9CCA4F
	K(55) = &H682E6FF3
	K(56) = &H748F82EE
	K(57) = &H78A5636F
	K(58) = &H84C87814
	K(59) = &H8CC70208
	K(60) = &H90BEFFFA
	K(61) = &HA4506CEB
	K(62) = &HBEF9A3F7
	K(63) = &HC67178F2
  End Sub
  
  Private Function LShift(lValue, iShiftBits)
      If iShiftBits = 0 Then
          LShift = lValue
          Exit Function
      ElseIf iShiftBits = 31 Then
          If lValue And 1 Then
              LShift = &H80000000
          Else
              LShift = 0
          End If
          Exit Function
      ElseIf iShiftBits < 0 Or iShiftBits > 31 Then
          Err.Raise 6
      End If
      
      If (lValue And m_l2Power(31 - iShiftBits)) Then
          LShift = ((lValue And m_lOnBits(31 - (iShiftBits + 1))) * m_l2Power(iShiftBits)) Or &H80000000
      Else
          LShift = ((lValue And m_lOnBits(31 - iShiftBits)) * m_l2Power(iShiftBits))
      End If
  End Function
  
  Private Function RShift(lValue, iShiftBits)
      If iShiftBits = 0 Then
          RShift = lValue
          Exit Function
      ElseIf iShiftBits = 31 Then
          If lValue And &H80000000 Then
              RShift = 1
          Else
              RShift = 0
          End If
          Exit Function
      ElseIf iShiftBits < 0 Or iShiftBits > 31 Then
          Err.Raise 6
      End If
      
      RShift = (lValue And &H7FFFFFFE) \ m_l2Power(iShiftBits)
      
      If (lValue And &H80000000) Then
          RShift = (RShift Or (&H40000000 \ m_l2Power(iShiftBits - 1)))
      End If
  End Function
  
  Private Function AddUnsigned(lX, lY)
      Dim lX4
      Dim lY4
      Dim lX8
      Dim lY8
      Dim lResult
   
      lX8 = lX And &H80000000
      lY8 = lY And &H80000000
      lX4 = lX And &H40000000
      lY4 = lY And &H40000000
   
      lResult = (lX And &H3FFFFFFF) + (lY And &H3FFFFFFF)
   
      If lX4 And lY4 Then
          lResult = lResult Xor &H80000000 Xor lX8 Xor lY8
      ElseIf lX4 Or lY4 Then
          If lResult And &H40000000 Then
              lResult = lResult Xor &HC0000000 Xor lX8 Xor lY8
          Else
              lResult = lResult Xor &H40000000 Xor lX8 Xor lY8
          End If
      Else
          lResult = lResult Xor lX8 Xor lY8
      End If
   
      AddUnsigned = lResult
  End Function
  
  Private Function Ch(x, y, z)
      Ch = ((x And y) Xor ((Not x) And z))
  End Function
  
  Private Function Maj(x, y, z)
      Maj = ((x And y) Xor (x And z) Xor (y And z))
  End Function
  
  Private Function S(x, n)
      S = (RShift(x, (n And m_lOnBits(4))) Or LShift(x, (32 - (n And m_lOnBits(4)))))
  End Function
  
  Private Function R(x, n)
      R = RShift(x, cLng(n And m_lOnBits(4)))
  End Function
  
  Private Function Sigma0(x)
      Sigma0 = (S(x, 2) Xor S(x, 13) Xor S(x, 22))
  End Function
  
  Private Function Sigma1(x)
      Sigma1 = (S(x, 6) Xor S(x, 11) Xor S(x, 25))
  End Function
  
  Private Function Gamma0(x)
      Gamma0 = (S(x, 7) Xor S(x, 18) Xor R(x, 3))
  End Function
  
  Private Function Gamma1(x)
      Gamma1 = (S(x, 17) Xor S(x, 19) Xor R(x, 10))
  End Function
  
  Private Function ConvertToWordArray(sMessage)
      Dim lMessageLength
      Dim lNumberOfWords
      Dim lWordArray()
      Dim lBytePosition
      Dim lByteCount
      Dim lWordCount
      Dim lByte
      
      Const MODULUS_BITS = 512
      Const CONGRUENT_BITS = 448
      
      lMessageLength = Len(sMessage)
      
      lNumberOfWords = (((lMessageLength + ((MODULUS_BITS - CONGRUENT_BITS) \ BITS_TO_A_BYTE)) \ (MODULUS_BITS \ BITS_TO_A_BYTE)) + 1) * (MODULUS_BITS \ BITS_TO_A_WORD)
      ReDim lWordArray(lNumberOfWords - 1)
      
      lBytePosition = 0
      lByteCount = 0
      Do Until lByteCount >= lMessageLength
          lWordCount = lByteCount \ BYTES_TO_A_WORD
          
          lBytePosition = (3 - (lByteCount Mod BYTES_TO_A_WORD)) * BITS_TO_A_BYTE
          
          lByte = AscB(Mid(sMessage, lByteCount + 1, 1))
          
          lWordArray(lWordCount) = lWordArray(lWordCount) Or LShift(lByte, lBytePosition)
          lByteCount = lByteCount + 1
      Loop
  
      lWordCount = lByteCount \ BYTES_TO_A_WORD
      lBytePosition = (3 - (lByteCount Mod BYTES_TO_A_WORD)) * BITS_TO_A_BYTE
  
      lWordArray(lWordCount) = lWordArray(lWordCount) Or LShift(&H80, lBytePosition)
  
      lWordArray(lNumberOfWords - 1) = LShift(lMessageLength, 3)
      lWordArray(lNumberOfWords - 2) = RShift(lMessageLength, 29)
      
      ConvertToWordArray = lWordArray
  End Function
  
  Public Function GetSHA256Hash()
      Dim HASH(7)
      Dim M
      Dim W(63)
      Dim a
      Dim b
      Dim c
      Dim d
      Dim e
      Dim f
      Dim g
      Dim h
      Dim i
      Dim j
      Dim T1
      Dim T2
      
      HASH(0) = &H6A09E667
      HASH(1) = &HBB67AE85
      HASH(2) = &H3C6EF372
      HASH(3) = &HA54FF53A
      HASH(4) = &H510E527F
      HASH(5) = &H9B05688C
      HASH(6) = &H1F83D9AB
      HASH(7) = &H5BE0CD19
      
      M = ConvertToWordArray(BaseString)
      
      For i = 0 To UBound(M) Step 16
          a = HASH(0)
          b = HASH(1)
          c = HASH(2)
          d = HASH(3)
          e = HASH(4)
          f = HASH(5)
          g = HASH(6)
          h = HASH(7)
          
          For j = 0 To 63
              If j < 16 Then
                  W(j) = M(j + i)
              Else
                  W(j) = AddUnsigned(AddUnsigned(AddUnsigned(Gamma1(W(j - 2)), W(j - 7)), Gamma0(W(j - 15))), W(j - 16))
              End If
                  
              T1 = AddUnsigned(AddUnsigned(AddUnsigned(AddUnsigned(h, Sigma1(e)), Ch(e, f, g)), K(j)), W(j))
              T2 = AddUnsigned(Sigma0(a), Maj(a, b, c))
              
              h = g
              g = f
              f = e
              e = AddUnsigned(d, T1)
              d = c
              c = b
              b = a
              a = AddUnsigned(T1, T2)
          Next
          
          HASH(0) = AddUnsigned(a, HASH(0))
          HASH(1) = AddUnsigned(b, HASH(1))
          HASH(2) = AddUnsigned(c, HASH(2))
          HASH(3) = AddUnsigned(d, HASH(3))
          HASH(4) = AddUnsigned(e, HASH(4))
          HASH(5) = AddUnsigned(f, HASH(5))
          HASH(6) = AddUnsigned(g, HASH(6))
          HASH(7) = AddUnsigned(h, HASH(7))
      Next
      GetSHA256Hash = LCase(Right("00000000" & Hex(HASH(0)), 8) & Right("00000000" & Hex(HASH(1)), 8) & Right("00000000" & Hex(HASH(2)), 8) & Right("00000000" & Hex(HASH(3)), 8) & Right("00000000" & Hex(HASH(4)), 8) & Right("00000000" & Hex(HASH(5)), 8) & Right("00000000" & Hex(HASH(6)), 8) & Right("00000000" & Hex(HASH(7)), 8))
  End Function

  Public Function DecodeBase64()
    Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
    Dim dataLength, sOut, groupBegin
    
    'remove white spaces, If any
    base64String = Replace(baseString, vbCrLf, "")
    base64String = Replace(base64String, vbTab, "")
    base64String = Replace(base64String, " ", "")
    
    'The source must consists from groups with Len of 4 chars
    dataLength = Len(base64String)
    If dataLength Mod 4 <> 0 Then
      Err.Raise 1, "Base64Decode", "Bad Base64 string."
      Exit Function
    End If
  
    
    ' Now decode each group:
    For groupBegin = 1 To dataLength Step 4
      Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
      ' Each data group encodes up To 3 actual bytes.
      numDataBytes = 3
      nGroup = 0
  
      For CharCounter = 0 To 3
        ' Convert each character into 6 bits of data, And add it To
        ' an integer For temporary storage.  If a character is a '=', there
        ' is one fewer data byte.  (There can only be a maximum of 2 '=' In
        ' the whole string.)
  
        thisChar = Mid(base64String, groupBegin + CharCounter, 1)
  
        If thisChar = "=" Then
          numDataBytes = numDataBytes - 1
          thisData = 0
        Else
          thisData = InStr(1, Base64, thisChar, vbBinaryCompare) - 1
        End If
        If thisData = -1 Then
          Err.Raise 2, "Base64Decode", "Bad character In Base64 string."
          Exit Function
        End If
  
        nGroup = 64 * nGroup + thisData
      Next
      
      'Hex splits the long To 6 groups with 4 bits
      nGroup = Hex(nGroup)
      
      'Add leading zeros
      nGroup = String(6 - Len(nGroup), "0") & nGroup
      
      'Convert the 3 byte hex integer (6 chars) To 3 characters
      pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _
        Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _
        Chr(CByte("&H" & Mid(nGroup, 5, 2)))
      
      'add numDataBytes characters To out string
      sOut = sOut & Left(pOut, numDataBytes)
    Next
  
    DecodeBase64 = sOut
  End Function
  
  Public Function EncodeBase64()
    'rfc1521
    '2001 Antonin Foller, PSTRUH Software, http://pstruh.cz
    Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
    Dim cOut, sOut, I
    
    'For each group of 3 bytes
    For I = 1 To Len(baseString) Step 3
      Dim nGroup, pOut, sGroup
      
      'Create one long from this 3 bytes.
      nGroup = &H10000 * Asc(Mid(baseString, I, 1)) + _
        &H100 * MyASC(Mid(baseString, I + 1, 1)) + MyASC(Mid(baseString, I + 2, 1))
      
      'Oct splits the long To 8 groups with 3 bits
      nGroup = Oct(nGroup)
      
      'Add leading zeros
      nGroup = String(8 - Len(nGroup), "0") & nGroup
      
      'Convert To base64
      pOut = Mid(Base64, CLng("&o" & Mid(nGroup, 1, 2)) + 1, 1) + _
        Mid(Base64, CLng("&o" & Mid(nGroup, 3, 2)) + 1, 1) + _
        Mid(Base64, CLng("&o" & Mid(nGroup, 5, 2)) + 1, 1) + _
        Mid(Base64, CLng("&o" & Mid(nGroup, 7, 2)) + 1, 1)
      
      'Add the part To OutPut string
      sOut = sOut + pOut
      
      'Add a new line For Each 76 chars In dest (76*3/4 = 57)
      'If (I + 2) Mod 57 = 0 Then sOut = sOut + vbCrLf
    Next
    Select Case Len(baseString) Mod 3
      Case 1: '8 bit final
        sOut = Left(sOut, Len(sOut) - 2) + "=="
      Case 2: '16 bit final
        sOut = Left(sOut, Len(sOut) - 1) + "="
    End Select
    EncodeBase64 = sOut
  End Function
  
  Private Function MyASC(OneChar)
    If OneChar = "" Then MyASC = 0 Else MyASC = Asc(OneChar)
  End Function

End Class
%>

spinal007 · #8 Jul 2nd, 2004, 18:04

that looks AWFULL! fair enough it might be safe but, I have an encrypt/decrypt aspmodule that does the lot in 30 lines of code, and if you spend a little more time with it, it's irreversible...

you are fine to save the password as a cookie as long as it's encrypted because there's nothing anyone can do with a load of junk. you should also store your passwords that way. then all you do when the user types in the password is encrypt the input and make sure it matches the stored value.

also, that will allow your users to "stay logged in unless they logout"...

Rob · #9 Jul 4th, 2004, 11:03

<blockquote id="quote"><font size="1" face="geneva, verdana, arial" id="quote">quote:<hr height="1" noshade id="quote">that looks AWFULL!<hr height="1" noshade id="quote"></blockquote id="quote"></font id="quote">May I point out that the above CLASS performs one way hashing, AS WELL AS base 64 encoding (and decoding)

Whilst it probabally could be shortened A LITTLE, you must remember it's an encrypt / decrypt and hashing tool, all in one.

If you have something that does all the above in just 30 lines then I severely question it's ability
to perform a secure encode and hash, and I'll ask you to post the code here for my close scrutiny.

courtjester · #10 Jul 4th, 2004, 16:40

what do I do to make that work? I don't know anything about encrypting... do I have to paste it inside of the form? Do I make it a seperate file and include it.. or submit my form to it, or what? lol, I haven't learned THAT much just yet :wink:

Rob · #11 Jul 5th, 2004, 08:59

Court Jester... use the file as an include!

then create an instance of the class!

something like this to encode:-

Code: Select all

<%
Set crypt = New EncryptionHelper
Crypt.baseString = "String to Encode"
EncodedString = Crypt.EncodeBase64()
Set Crypt = Nothing 'Important to clear up
%>

This to Decode:-

Code: Select all

<%
Set crypt = New EncryptionHelper
Crypt.baseString = "Encoded-String-Goes-Here"
EncodedString = Crypt.DecodeBase64()
Set Crypt = Nothing 'Important to clear up
%>

Use this to make a one way Hash:-

Code: Select all

<%
Set crypt = New EncryptionHelper
Crypt.baseString = "String to Hash"
EncodedString = Crypt.GetSha256Hash()
Set Crypt = Nothing 'Important to clear up
%>

Hope this helps!

courtjester · #12 Jul 6th, 2004, 00:04

Thanks Rob!

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
PHP Problems with Session Variables...	JustinStudios	PHP Forum	5	Jan 17th, 2008 05:05
Flash and PHP Session Variables	saxy46	Flash & Multimedia Forum	0	Jan 27th, 2007 18:21
Session variables	ideleon	PHP Forum	2	Feb 7th, 2006 08:04
Session Variables	ekendricks	Classic ASP	4	Dec 19th, 2003 06:33
Session Variables	ekendricks	Classic ASP	7	Aug 26th, 2003 10:42

		Webforumz.com > Main Forums > Program Your Website > Classic ASP
Session Variables....