Wrox Programmer Forums

Need to download code?

View our list of code downloads.

Go Back   Wrox Programmer Forums > ASP.NET and ASP > ASP 3 Classic ASP Active Server Pages 3.0 > Classic ASP Professional
Password Reminder
Register
Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read
Classic ASP Professional For advanced coder questions in ASP 3. NOT for ASP.NET 1.0, 1.1, or 2.0.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the Classic ASP Professional section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developers’ questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
Reply
 
Thread Tools Display Modes
  #1 (permalink)  
Old May 2nd, 2005, 09:39 AM
Registered User
 
Join Date: May 2005
Location: , , .
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default Newbie Help. Login to unique login page per user

I'm new to .ASP but trying to pick it up. What I'm trying to accomplish is to have a simple way to have users login from the main site page and each go to their designated url. There will be a seperate page for users of each company. There will be a very small amount of traffic. When I came on board the company only had a site with their address posted but the owner asked for this. Anyway, I've found tons of examples for .asp login scripts that will check authorization of users to a single page but none that have the logic to send each to their own page. Currently I have the following and I know one problem is that it is unsecure. At this point I'm not sure if it would be easier to use PHP or something else. Any comments would be appreciated.

I'm using the latest MySQL database and the current checkuser.asp code is below.

<%

Dim adoCon
Dim strCon
Dim rsCheckUser
Dim strAccessDB
Dim strSQL
Dim strSQL1
Dim strUrl
Dim strUserName
'will store the temp records
Dim rstemp

strUserName = Request.Form("txtUserName")
strAccessDB = "users"
Set adoCon = Server.CreateObject("ADODB.Connection")
strCon = "Driver={MySQL ODBC 3.51 Driver};uid=root;password=lookout;Server=localhost ;Option=16834;Database=CheckUser;"

adoCon.Open strCon

Set rsCheckUser = Server.CreateObject("ADODB.Recordset")
strSQL = "SELECT tblUsers.Password FROM tblUsers WHERE tblUsers.UserID ='" & strUserName & "'"
rsCheckUser.Open strSQL, strCon

'Query to pull the url from the DB'

strSQL1 = "SELECT tblUsers.Url FROM tblUsers WHERE tblUsers.UserID ='" & strUserName & "'"
set rstemp=adoCon.execute(strSQL1)
strUrl=rstemp("Url")
If NOT rsCheckUser.EOF Then


                'Read in the password for the user from the database

                If (Request.Form("txtUserPass")) = rsCheckUser("Password") Then
                                Session("blnIsUserGood") = True

                                Set adoCon = Nothing

                                Set strCon = Nothing

                                Set rsCheckUser = Nothing


           'this will direct user to this address.’

            Response.Redirect ('" & strUrl & "') 'Doesn't work'

            Response.Redirect"abc.asp'" & strUrl & "'" 'doesn't work'

                End If

End If

Any input is appreciated. Maybe I'm way off track and there is an easier way to go that is secure?? Thanks in advance for any help given.


Reply With Quote
  #2 (permalink)  
Old May 2nd, 2005, 10:19 AM
Registered User
 
Join Date: May 2005
Location: , , United Kingdom.
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default

You need to do something like this

If strUrl = "url1" Then
Response.Redirect url1
ElseIf strUrl = "url2" Then
Response.Redirect url2
else
End If

Reply With Quote
  #3 (permalink)  
Old May 2nd, 2005, 11:21 AM
Registered User
 
Join Date: May 2005
Location: , , .
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Future,

I don't understand what I will gain by that code. I don't really need to check to see if the url is correct by comparing url to url. I need to redirect to a url if by username if user/pass match. The thing is that I can't seem to pass the url from the DB as a string in the redirect statement. Also, this is insecure and I'm hoping to secure it. Am I making any sense? Probably not. LOL! Thanks a ton for the comment.

Reply With Quote
  #4 (permalink)  
Old May 2nd, 2005, 12:05 PM
Imar's Avatar
Wrox Author
Points: 67,332, Level: 100
Points: 67,332, Level: 100 Points: 67,332, Level: 100 Points: 67,332, Level: 100
Activity: 100%
Activity: 100% Activity: 100% Activity: 100%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 16,231
Thanks: 66
Thanked 1,418 Times in 1,398 Posts
Default

If the Url is in the strUrlfield, then this should work:

Response.Redirect (strUrl)

strUrl is already a string, so there is no need to put it in quotes.

I don't know about your database setup, but personally I would do something like this:


Dim password
Dim userName
Dim sql

password = Replace(Request.Form("txtPassword"), "'", "''")
userName = Replace(Request.Form("txtUserName"), "'", "''")

sql = "SELECT RedirectUrl FROM UserTable WHERE UserName = '" & userName & "' AND Password = '" & password & "'"

' Open connection and execute sql
If Not rsUser.EOF Then
  strUrl = rsUser("RedirectUrl ")
End If
rsUser.Close

If strUrl <> "" Then
  Response.Redirect(strUrl)
End If

Note that I am using Replace to minimize the risk of Sql injection (people inserting SQL statements instead of a user name or password). However, this method is definitely not secure enough. It would be much better to use Stored Procedures or parameterized queries. But that's a topic for another post.... ;)

You wouldn't gain anything from switching to PHP. When it comes down to stuff like this, both languages offer equal opportunities.

Cheers,

Imar



---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
While typing this post, I was listening to: Humming Roseland NYC Live by Portishead (From the album: Portishead) What's This?
Reply With Quote
  #5 (permalink)  
Old May 2nd, 2005, 01:11 PM
Registered User
 
Join Date: May 2005
Location: , , United Kingdom.
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default

sorry i think i totally misunderstood what you are trying to do, are you trying to redirect to the original url after being logged in?
if so i can help


Reply With Quote
  #6 (permalink)  
Old May 2nd, 2005, 01:23 PM
Registered User
 
Join Date: May 2005
Location: , , .
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I'm sorry I was unclear. What I'm trying to accomplish is to have each user login and have it check the database to see where that user's home page (if you want to call it that) should be. Each customer will only have access to their own customer page after login which will not be the original login page but one with a list of jobs, etc. for their company. I hope this clears it up. Thanks for the effort here. :)

Reply With Quote
  #7 (permalink)  
Old May 2nd, 2005, 01:48 PM
Imar's Avatar
Wrox Author
Points: 67,332, Level: 100
Points: 67,332, Level: 100 Points: 67,332, Level: 100 Points: 67,332, Level: 100
Activity: 100%
Activity: 100% Activity: 100% Activity: 100%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 16,231
Thanks: 66
Thanked 1,418 Times in 1,398 Posts
Default

Hi Kainan,

Doesn't my post answer that question? The Url you want to redirect to can be stored in the database together with the customer details.

Let me know if you need more help.

Cheers,

Imar
---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
While typing this post, I was listening to: Laichzeit by Rammstein (Track 10 from the album: Herzeleid) What's This?
Reply With Quote
  #8 (permalink)  
Old May 2nd, 2005, 02:07 PM
Registered User
 
Join Date: May 2005
Location: , , .
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
quote:Originally posted by Imar
 If the Url is in the strUrlfield, then this should work:

Response.Redirect (strUrl)

strUrl is already a string, so there is no need to put it in quotes.

I don't know about your database setup, but personally I would do something like this:


Dim password
Dim userName
Dim sql

password = Replace(Request.Form("txtPassword"), "'", "''")
userName = Replace(Request.Form("txtUserName"), "'", "''")

sql = "SELECT RedirectUrl FROM UserTable WHERE UserName = '" & userName & "' AND Password = '" & password & "'"

' Open connection and execute sql
If Not rsUser.EOF Then
  strUrl = rsUser("RedirectUrl ")
End If
rsUser.Close

If strUrl <> "" Then
  Response.Redirect(strUrl)
End If

Note that I am using Replace to minimize the risk of Sql injection (people inserting SQL statements instead of a user name or password). However, this method is definitely not secure enough. It would be much better to use Stored Procedures or parameterized queries. But that's a topic for another post.... ;)

You wouldn't gain anything from switching to PHP. When it comes down to stuff like this, both languages offer equal opportunities.

Cheers,

Imar



---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
While typing this post, I was listening to: Humming Roseland NYC Live by Portishead (From the album: Portishead) What's This?
Imar,

Now that I look at it I do see that your code looks like what I'm looking for, although different than what I thought. What I'm concerned with is the lack of a session or code to stop people from seeing the URL and simply typing it in to bypass the login entirely. Thanks a ton! If you have other suggestions then please post up. :)

Reply With Quote
  #9 (permalink)  
Old May 2nd, 2005, 02:30 PM
Registered User
 
Join Date: May 2005
Location: , , United Kingdom.
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Why not create a session object on the login page then check that session object on the users homepage

Session ("Url") = (strUrl)

At the top of the homepage
first query the database for the url then
Check the match

If Session ("Url") = (strUrl)
Then

and at the End of the code

Else
Response.Redirect (strUrl)
EndIf

totally off the top of my head but should work

Reply With Quote
  #10 (permalink)  
Old May 2nd, 2005, 04:45 PM
Imar's Avatar
Wrox Author
Points: 67,332, Level: 100
Points: 67,332, Level: 100 Points: 67,332, Level: 100 Points: 67,332, Level: 100
Activity: 100%
Activity: 100% Activity: 100% Activity: 100%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 16,231
Thanks: 66
Thanked 1,418 Times in 1,398 Posts
Default

What futurefiles is suggesting is indeed part of what you need.

The principle I showed you is only used to determine the page you want to redirect to. It does *not* provide a security mechanism in any way. But then again, I don't think you asked for that in your first post ;)

Anyway, on the login page, you could set a session variable that determines what page(s) the user is allowed to see. You can store the user's ID, the root URL or anything else you see fit.

In the pages you're protecting, check for this session variable:

<%
  If Session("CompanyUrl") <> "SomeCompanyNameUrl" Then
    Response.Redirect("NoAccess.asp")
  End If
%>

This assumes that each company has its own set of files, and that you include this code in each page for each customer. The "SomeCompanyNameUrl" is hardcoded for each company in each file.

Alternatively, if you're willing to take a (minor) performance hit you can check the current Url (using Request.ServerVariables("SCRIPT_NAME") and Request.ServerVariables("HTTP_HOST")) and then query the database on each request, and find out if the user is allowed to view the requested Url.

For that to work, you'll need to store the user's name in a session so you can send it in every page request.

HtH,

Imar
---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
User name is blank in Login Page subhsam ASP.NET 1.0 and 1.1 Professional 0 March 14th, 2007 06:17 PM
login script: user can't hit "return" for login dmerrill Java Basics 13 July 14th, 2006 07:25 PM
login failed for user nt authority\anonymous login rj1406 Classic ASP Databases 1 October 24th, 2004 09:15 AM
unique login names and incremental user IDs krstofer Classic ASP Basics 8 March 11th, 2004 09:55 AM



All times are GMT -4. The time now is 07:24 AM.


Powered by vBulletin® Version 3.7.0
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.