View Single Post
  #1 (permalink)  
Old January 29th, 2009, 09:49 AM
chris1012 chris1012 is offline
Authorized User
 
Join Date: Nov 2007
Location: Grimsby, North East Lincolnshire, United Kingdom.
Posts: 22
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to chris1012
Default Sessions and secure area problem

hey guys i was wondering if anyone could me with this basically i've made a database driven website using an access database but its not completely secure and i can't understand why basically when i type in the hyper link it it still gives me access to the admin area my codes posted below any help is greatly appreciated...

login.asp


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<TITLE> Coach To Go Login</TITLE>
<META NAME="Generator" CONTENT="Christopher Elshaw">
<META NAME="Author" CONTENT="">
<META NAME="Keywords" CONTENT="Christopher Elshaw">
<META NAME="Description" CONTENT="Coach To Go Company">
<link rel="stylesheet" href="..\CSS\CSS.css" type="text/css" />
<script language="JavaScript" type="text/javascript">
function validate()
{
lf=document.logger
un=lf.username.value
pw=lf.password.value
submitOK="True"
if (un.length <5) {
alert("the username you provided is not valid")
submitOK="False" // set to false
}
if (pw.length <7) // code is less than 1 or greater than 5
{
alert("please enter a password between 6 and 12 characters")
submitOK="False"
}
if (submitOK=="False") // if any test fails then return a boolean false
{
return false
}
}
</script>
</HEAD>
<body>
<div id="container">
<!--.................................................. ...logo = banner............................................ ...........................!-->
<div id="logo">
<img src="../images/ctg.gif" width="1200" height="250" />
</div>
<!--.................................................. ..Navigation section........................................... ..........................!-->
<div id="toplinks" >
<table>
<tr>
<td>
<A HREF="Home.asp">Home</A> &nbsp &nbsp &nbsp
</td>
<td>
<A HREF="Login.asp">Login</A> &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
</td>
<td>
<A HREF="Search.asp"">Search Holidays</A> &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
</td>
<td>
<A HREF="Help.asp">Help!!!</A> &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
</td>
<td>
<A HREF="Contact.asp">Contact Details</A> &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
</td>
<td>
<A HREF="Feedback.asp">Company Feedback</A>
</td>
</tr>
</table>
</div>
<!--.................................................. ..header.......................................... .......................................!-->
<div id="header">
<br />
<b> <u>Coach To Go Login Service</b> </u>
<br />
<br />
</div>
<!--.................................................. ..intro........................................... ......................................!-->
<div id="intro">
<br />
Welcome to the Coach To Go Login area, this area will provide you with the necessary access
<br />
for both customer and administrators of the Coach To Go Company
<br />
<br />
</div>
<!--...............................................mai n site content........................................... ..................................!-->
<div id="content">
<table width="1020px">
<tr>
<td width="50%">
<br />
&nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
Please enter your username and password below to get
<br />
&nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
access to your Coach To Go account
<br />
<br />
<Form name="logger" id="form1" action="logon_process.asp" method="post" onsubmit="return validate()">
<!--Java Script Validation and bring data from database_!-->
&nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
Username:
&nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
<input id="u1" type="text" name="username" size="20" maxlength="15">*
<br />
&nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
Password:
&nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
<input id="p1" type="password" name="password" size="20" maxlength="12">*
&nbsp &nbsp &nbsp
<input type="submit" value="Login" id="loginbut"/>
</form>
</td>
<td width="50%" height="0%">
If you would like to use the Coach To Go system
<br />
please click the register button displayed below
<br />
&nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
<form method="LINK" Action="Register.asp">
<input type="submit" value="Register with Coach To Go">
</form>
</td>
</tr>
</table>
</div>
<!--.................................................. ...Footer......................................... ..........................................!-->
<div id="Footer">
(C) Coach To Go LTD <%response.write(date())%>.
</div>
</div>
</body>
</html>


loginerror.asp

<%@LANGUAGE=VBScript%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>* FAILED LOGON ATTEMPT *</title>
<meta name="Generator" content="Login Error" />
<meta name="Author" content="Christopher Elshaw" />
<meta name="Keywords" content="Login Error" />
<meta name="Description" content="This page displays a login error" />
<!-- return to login after 5 seconds!-->
<meta http-equiv="refresh" content="5;URL=Login.asp">
<link rel="stylesheet" href="..\CSS\CSS.css" type="text/css" />
</head>
<body>
<div id="container">
<!--.................................................. ...Header = banner............................................ ...........................!-->
<div id="logo">
<img src="../images/ctg.gif" width="1200" height="250" />
</div>
<!--.................................................. ...Navigation Links............................................. ..........................!-->
<div id="toplinks" >
<A HREF="Home.asp">Home</A> &nbsp &nbsp &nbsp
<A HREF="Login.asp">Login</A> &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
<A HREF="Search.asp"">Search Holidays</A> &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
<A HREF="Help.asp">Help!!!</A> &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
<A HREF="Contact.asp">Contact Details</A> &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
<A HREF="Feedback.asp">Company Feedback</A>
</div>
<!--.................................................. ...Intro To the page.............................................. .........................!-->
<div id="intro">
Login Error
</div>
<!--.................................................. ...Content for the page.............................................. .........................!-->
<div id="content">
&nbsp &nbsp &nbsp &nbsp &nbsp &nbsp I'me sorry but the login details you provided where incorrect please try again
</div>
<!--.................................................. ...Footer for the page.............................................. .........................!-->
<div id="footer">
(C) Coach To Go LTD <%response.write(date())%>.
</div>
</body>
</html>

login_process.asp

<%@ Language=VBScript %>
<%
'user logon process script
'create a connection to the advanced data object db
Dim connection
Dim DesRs
set connection=server.CreateObject("adodb.connection")
connection.Provider="Microsoft.JET.OLEDB.4.0"
connection.Open Server.Mappath("..\database\CoachToGo.mdb")
'variable creates logon record set'
set LogonRs=server.CreateObject("adodb.recordset")
' send SQL string to for login validation'
LogonRs.Open "SELECT * from logon WHERE log_name='" & _
request("username") & "'" & " AND log_password='" & _
request("password") & "'",connection,adOpenKeyset,adLockOptimistic

' validate by value 1
If LogonRs.RecordCount=1 Then ' validated if 1 record found
' set session variable to be true (true for time user is logged in)
session("usr_accesslevel") = LogonRs("log_access")
session("usr_name") = LogonRs("log_realname")
session("usr_initials") = LogonRs("log_initials")
If session("usr_accesslevel")<3 Then
session("logadmin") = True
session ("loguser") = False
Response.Redirect("Adminmenu.asp")
Else
session("logadmin") = False
session ("loguser") = True
Response.Redirect("usermenu.asp")
End If
Else
' maintain "false" status
session("logadmin") = False
session ("loguser") = False
' inform user that attempt has been unsuccessful
Response.Redirect("Loginerror.asp")
End If
%>

session_stop.asp

<%@ Language=VBScript %>
<%
option Explicit
session("loggedin")=FALSE
Session.Contents.RemoveAll()
Session.Abandon
'return to log-in page
Response.redirect "sessiondirect.asp"
%>

session_direct.asp

<%@ Language=VBScript %>
<%
' check current session var for user and redirect
if session("loggedin")=FALSE Then
Response.Redirect("loginerror.asp")
else
Response.Redirect("adminmenu.asp")
end if
%>

what am i doing wrong what do i need?
__________________
in opposite world i love programming