Cookies and Passwords


#1

I wanted to use a cookie to identify a returning user so he wouldn’t have to enter password again. I looked through the posts for how to program cookies but didn’t see anything. So, thought I’d post what I wrote on how to handle a cookie for my need. The below code gives user 30days before he has to re-enter password.

It seems to work okay. If you see an issue or a way to improve, I’d be interested.

Thanks Rodney

'Check cookie...
Dim sReadCookie,sTheValues,dDate,iDays,bPasswordValid,NewDate

Function Form0_onshow()
    sReadCookie = document.cookie
  If sReadCookie <> "" Then
    'There's a value...
    sTheValues = Split(sReadCookie,"=")
    If IsDate(sTheValues(1)) Then
      dDate = sTheValues(1)
      iDays = DateDiff("d",Now,dDate)
      If iDays < 1 Then
        'Password expired...
        txtPwdDays.textContent = "0"
        document.cookie = "password=;expires=Wed; 01 Jan 1970"
        bPasswordValid = "False"
        NSB.MsgBox "Password Expired",0,"TGP Parameters"
      Else
        'Password valid...
        txtPwdDays.textContent = iDays
        txtPassword.value = "Password Valid"
        'NSB.MsgBox "Password Valid",0,"TGP Parameters"
        bPasswordValid = "True"
      End If 
     End If
  End If
End Function

'Check password...
Function btnCheckPassword_onclick()
  
If bPasswordValid = "True" Then
  'Goto form 1... 
  ChangeForm(Form1)
  Exit Function
End If

'Check for characters...
If txtPassword.value = "" Then
'Nothing entered...  
Exit Function
End If 

'Lets get hash...
sTheHash = sjcl.hash.sha256.hash(txtPassword.value )
'Lets send to server...
req = Ajax("chkpw.php?myPW=" & sTheHash )
 If req.status = 200 Then 'success
    sAnswer = req.responseText
    If sAnswer = "Yes" Then
      'Go on to next screen..
       NSB.MsgBox ("Password Accepted",0,"TGP Parameters")
       NewDate = DateAdd("d",30,Now)
       'txtTheCookie.textContent = "Cookie: " & NewDate
       document.cookie = "password=" & NewDate & ";expires=Wed, 18 Dec 2023 12:00:00 GMT" 
       ChangeForm(Form1)
       Exit Function
    Else
      'Bad Password...
       NSB.MsgBox ("Password Failed",0,"TGP Parameters")
      Exit Function
    End If 
  Else 'failure
    'sAnswer = "Error: " & req.err.message
    MsgBox "Problem with Ajax script."
  End If
End Function

#2

Thanks for posting this. A couple of thoughts:

  1. Why use cookies instead of localstorage for this?
    https://stackoverflow.com/questions/3220660/local-storage-vs-cookies#3220802

  2. What stops someone from opening the Chrome Debugger and changing the value of the cookie, bypassing the signon?


#3

George thanks for your response.
I read your reference link and it was good. There was some talk about the cookies and storage being stored on the server. As far as I can tell, I think both cookies and localStorage items are stored on the client’s computer. As I review localStorage, the better choice would have been localStorage for you don’t have to ‘mess around’ with the expiration date. You can create, read and delete as you like the storage item. I think these are the main calls:

localStorage.setItem(‘KeyValue’,‘1234’)
sClientKeyValue = localStorage.getItem(‘KeyValue’)
localStorage.removeItem(‘KeyValue’)

I may have posted this in the wrong location. Not sure if it should have been posted in Comments section…

Thanks, Rodney


#4

It’s a good idea to encrypt as well.

John


#5

John, yes it’s a good idea.

The syntax for localStorage (that I gave above) wasn’t exactly correct. Here’s the same example using localStorage rather then cookies… I think it’s a better way to go. Thanks, Rodney

'Check Date...
Dim sReadDate,dDate,iDays,bPasswordValid,NewDate

Function Form0_onshow()
    sReadDate = localStorage.getItem("ExpDate")
  If sReadDate <> "" Then
    'There's a value...
    If IsDate(sReadDate) Then
      dDate = sReadDate
      iDays = DateDiff("d",Now,dDate)
      If iDays < 1 Then
        'Password expired...
        txtPwdDays.textContent = "0"
        localStorage.removeItem("ExpDate")
        bPasswordValid = "False"
        NSB.MsgBox "Password Expired",0,"TGP Parameters"
      Else
        'Password valid...
        txtPwdDays.textContent = iDays
        txtPassword.value = "Password Valid"
        'NSB.MsgBox "Password Valid",0,"TGP Parameters"
        bPasswordValid = "True"
      End If 
     End If
  End If
End Function

'Check password...
Function btnCheckPassword_onclick()
  
If bPasswordValid = "True" Then
  'Goto form 1... 
  ChangeForm(Form1)
  Exit Function
End If

'Check for characters...
If txtPassword.value = "" Then
'Nothing entered...  
Exit Function
End If 

'Lets get hash...
sTheHash = sjcl.hash.sha256.hash(txtPassword.value )
'Lets send to server...
req = Ajax("chkpw.php?myPW=" & sTheHash )
 If req.status = 200 Then 'success
    sAnswer = req.responseText
    If sAnswer = "Yes" Then
      'Go on to next screen..
       NSB.MsgBox ("Password Accepted",0,"TGP Parameters")
       NewDate = DateAdd("d",30,Now)
       localStorage.setItem("ExpDate",NewDate)
       NSB.MsgBox("key Stored",0,"informaiton") 
       ChangeForm(Form1)
       Exit Function
    Else
      'Bad Password...
       NSB.MsgBox ("Password Failed",0,"TGP Parameters")
      Exit Function
    End If 
  Else 'failure
    'sAnswer = "Error: " & req.err.message
    MsgBox "Problem with Ajax script."
  End If
End Function