|
 |
security_asp thread: Response.Redirect
Message #1 by "Aissam Aissam" <daissam@s...> on Fri, 12 Jul 2002 05:35:38 -0700
|
|
Hmm....
Let's take this one step at a time.
The fact that you're going to this effort indicates security truly is
important for this Intranet application? If so, the first step is to
clean up the login authentication -- You're currently open to SQL
Injection. As it stands right now, if I were on your Intranet I could
use SQL Injection to log in as any employee whose user ID I could guess.
The password check will be completely bypassed. (ouch!) There's lots
of info on this available in the newsgroups, or you can email me
privately if you need recommendations.
Once that's cleaned up, David's suggestion should get you where you need
to be. If high performance is an issue (not usually the case for the
scenario you're describing) you'll want to look at something that
doesn't require string work, but as I said that's probably not the case
for you.
Also, I'm assuming you're using 'regular' ASP (as opposed to ASP.NET).
If that's not the case, the recommendations change completely....
Beth
-----Original Message-----
From: Debreceni, David
To: Security_asp
Sent: 7/12/2002 1:21 PM
Subject: [security_asp] RE: Response.Redirect
Okay I am not 100% on all the stuff you are trying to do, but here are
some quick things I see:
In your Query you use like, for a username password situation always use
=3D otherwise if user mike and user mikey are both going to come back, I
realize you include the password part but the same can happen with that.
What on your subsequent pages are you looking for to verify that the
user does indeed have rights to this page? If you look at the session
variables loginname and security, they will exist for each page under
the app. What triggers the login page to actually be displayed? Is it
a lack of a security session variable?
It sounds like from your description that users have a predetermined
access right based upon their login. I am assuming you are storing this
information in the database. If so, How does the web know that the user
can go to IT and not say HR? I would recommend using a bit string in a
database char field. Make it as long as you need it and then assign
rights based upon the bits using bit 0 as false and 1 as true. For
example say you return in the query a bitstring in the field
rs("security") which equals 01001001001. You could say that the second
bit means you can see the IT page. so at the top of each page under the
IT arena you would put a statement like
If mid(session("SecurityBit"),2,1) =3D 0 then
response.redirect "error.asp"
end if
Hope that helps.
David Debreceni
Senior Visual Basic/ASP Developer
xxx-xxx-xxxx x 1086
-----Original Message-----
From: Aissam Aissam [mailto:daissam@s...
<mailto:daissam@s...> ]
Sent: Friday, July 12, 2002 12:50 PM
To: Security_asp
Subject: [security_asp] RE: Response.Redirect
No, it doesn't.
But take a look at what I have done in the code below. This intranet
application takes the user first to a menu (without asking for
id/pswrd). Once there, he would have to click the department he belongs
to, and based on his id he should be allowed/denied access to the
department in question.
It does let me in after checking my id, however, when I click the back
button, it takes me to the menu (Organization chart with hyperlinks to
departments & sections), there, I can click any department(including
those I should not be allowed into) without being asked for the password
again. So, security wise it's a disaster.
<%@ Language=3DVBScript %>
<%
Response.Buffer =3D True
dim db, rs, query, name, password, url, msg
' the login page. the second time through the username
' and password are processed.
name =3D Request.Form("Name")
password =3D Request.Form("Password")
if name <> "" then
' look up the record in the database
' Create the connection - CHANGE THE DSN for your
' own database!!!!
Set db =3D Server.CreateObject("ADODB.Connection")
db.Open "login"
' create the record set on the connection
Set rs =3D Server.CreateObject("ADODB.RecordSet")
' perform the query, requiring password match.
query =3D "SELECT * from Users WHERE "
query =3D query & "Username LIKE " & "'" & name & "' AND "
query =3D query & "Password LIKE " & "'" & password & "'"
rs.Open query, db
' is there a username/password match?
if NOT rs.EOF then
' got a match. Set up the user data
Session("LoginName") =3D name
Session("security") =3D rs("security")
Session("LoginName") =3D rs("Username")
' redirect back to the calling page.
url =3D Session("ScriptName")
url =3D url & "?"
url =3D url & Session("QueryString")
Response.Redirect(url)
else
' no match. Deliver the bad news:
msg =3D "Sorry, this Username and Password are not recognized.
Want to try again?"
end if
end if
' otherwise it is the failure or the first time through, so just
' show the form.
%>
<HTML>
<HEAD>
<META NAME=3D"GENERATOR" Content=3D"Microsoft Visual Studio 6.0">
</HEAD>
<BODY background=3Dimages/backgrd4.gif>
<P align=3Dcenter><STRONG>Please Enter Your Username and
Password</STRONG></P>
<P align=3Dcenter> </P>
<P> </P>
<FORM NAME=3D"login" ACTION=3D"login.asp" METHOD=3D"post">
<B>Username: <INPUT SIZE=3D10 NAME=3D"Name"
><BR>
<B>
Password: <INPUT TYPE=3D"password" SIZE=3D10
NAME=3D"Password"><BR>
<INPUT TYPE=3D"submit" NAME=3D"Submit" value=3D"Submit">
</FORM>
<%
' Login failed. let them try again.
if msg <> "" then
Response.write(msg & "<BR>")
end if
%>
</B></B>
</BODY>
</HTML>
> "Debreceni, David" <david_debreceni@r...> "Security_asp"
<security_asp@p...> [security_asp] RE: Response.RedirectDate:
Fri, 12 Jul 2002 12:17:58 -0400
>Reply-To: "Security_asp" <security_asp@p...>
>
>does it display your message that you have set up if the department is
not
>IT?
>
>David Debreceni
>Senior Visual Basic/ASP Developer
>xxx-xxx-xxxx x 1086
>
>
>-----Original Message-----
>From: Aissam Aissam [mailto:daissam@s...
<mailto:daissam@s...> ]
>Sent: Friday, July 12, 2002 12:12 PM
>To: Security_asp
>Subject: [security_asp] RE: Response.Redirect
>
>
>Still doing the same thing.
>
>> "Debreceni, David" <david_debreceni@r...> "Security_asp"
><security_asp@p...> [security_asp] RE: Response.RedirectDate:
Fri,
>12 Jul 2002 11:41:08 -0400
>>Reply-To: "Security_asp" <security_asp@p...>
>>
>>I generally do string compares using strcomp instead of the =3D sign.
That
>>has made a difference before for me. Try changing
>>session("Department") =3D "IT" to strcomp(session("Department"),"IT")
>>
>>Hope that helps
>>
>>David Debreceni
>>Senior Visual Basic/ASP Developer
>>xxx-xxx-xxxx x 1086
>>
>>
>>-----Original Message-----
>>From: Aissam Aissam [mailto:daissam@s...
<mailto:daissam@s...> ]
>>Sent: Friday, July 12, 2002 11:22 AM
>>To: Security_asp
>>Subject: [security_asp] RE: Response.Redirect
>>
>>
>>Thanks David,
>>
>>I realized that after submitting the e-mail. But the login process is
still
>>not working. After I enter the userID/Passwrd, the page blinks, the
>>Username/Password field gets cleared up, and I am not redirected to
where I
>>should be.
>>
>>> "Debreceni, David" <david_debreceni@r...> "Security_asp"
>><security_asp@p...> [security_asp] RE: Response.RedirectDate:
Fri,
>>12 Jul 2002 10:25:56 -0400
>>>Reply-To: "Security_asp" <security_asp@p...>
>>>
>>>You have three if statements started and only 2 end ifs, that is why
you
>>get
>>>that error.
>>>
>>>David Debreceni
>>>Senior Visual Basic/ASP Developer
>>>xxx-xxx-xxxx x 1086
>>>
>>>
>>>-----Original Message-----
>>>From: Aissam Aissam [mailto:daissam@s...
<mailto:daissam@s...> ]
>>>Sent: Friday, July 12, 2002 8:36 AM
>>>To: Security_asp
>>>Subject: [security_asp] Response.Redirect
>>>
>>>
>>>Hello Falks,
>>>
>>>I would like to implement this in my intranet application.
>>>Response.Redirect a user based on the userID/Passwrd they enter. I
have
>>>tried doing it in my login.asp page, but it doesn't seem to be
working.
>>Here
>>>is my code. I would appreciate it if you could see it, and tell me
what's
>>>wrong with it. I keep getting an VBscript run time error Expected
'End' at
>>>line ...
>>><%
>>> Response.Buffer =3D True
>>> dim db, rs, query, name, password, url, msg
>>>
>>> ' the login page. the second time through the username
>>> ' and password are processed.
>>> name =3D Request.Form("Name")
>>> password =3D Request.Form("Password")
>>> if name <> "" then
>>> ' look up the record in the database
>>> ' Create the connection - CHANGE THE DSN for your
>>> ' own database!!!!
>>> Set db =3D Server.CreateObject("ADODB.Connection")
>>> db.Open "login"
>>>
>>>
>>> ' create the record set on the connection
>>> Set rs =3D Server.CreateObject("ADODB.RecordSet")
>>>
>>> ' perform the query, requiring password match.
>>> query =3D "SELECT * from Users WHERE "
>>> query =3D query & "Username LIKE " & "'" & name & "' AND "
>>> query =3D query & "Password LIKE " & "'" & password & "'"
>>> rs.Open query, db
>>>
>>> ' is there a username/password match?
>>> if NOT rs.EOF then
>>> ' got a match. Set up the user data
>>> Department =3D rs("Department")
>>> security =3D rs("security")
>>> name =3D rs("Username")
>>> session("security") =3D security
>>> session("Department") =3D Department
>>> Session("Username") =3D name
>>>
>>> if session("Department") =3D "IT" then
>>> Response.Redirect "300400.asp"
>>>
>>> else
>>> ' no match. Deliver the bad news:
>>> msg =3D "Sorry, this Username and Password are not
recognized.
Want
>>>to try again?"
>>> end if
>>> end if
>>>
>>> ' otherwise it is the failure or the first time through, so just
>>> ' show the form.
>>>%>
>>>Thanks
>>>
>>>Poll7
|
|
|
View Cart
