View Single Post
  #2 (permalink)  
Old January 30th, 2009, 12:40 AM
dparsons dparsons is offline
Wrox Author
Points: 13,255, Level: 49
Points: 13,255, Level: 49 Points: 13,255, Level: 49 Points: 13,255, Level: 49
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Oct 2005
Location: Ohio, USA
Posts: 4,104
Thanks: 1
Thanked 64 Times in 64 Posts
Send a message via AIM to dparsons
Default

I had to guess a little at the program flow but, my guess is, when you do this

asp Code:
if session("loggedin")=FALSE Then

in your Session_Direct page it is always dropping into the else because it doesnt look like you ever set a session variable named loggedin in the code you have provided.

Moving on this seems a little bit of a convoluted process that you have setup! What you are doing with 4 pages could proably be cleaned up a little. As far as logic goes, you really only need your LoginProcess page. Here is your code refactored a tiny bit:

asp Code:
Dim iAccessLevel
Dim blnLoggedIn
' validate by value 1
 
If Not LogonRs.EOF
     iAccessLevel = LogonRs("log_Access")
     '
If LogonRs.RecordCount=1 Then ' validated if 1 record found
           session("usr_accesslevel") = LogonRs("log_access")
           session("usr_name") = LogonRs("log_realname")
           session("usr_initials") = LogonRs("log_initials")
           blnLoggedIn = True
      '
Else
      '     This seems like a logic Error
      '
      session("logadmin") = False
      '      session ("loguser") = False
      '
End If
Else blnLoggedIn = false
End If
 
LogonRs.Close()
LogonRs = Nothing
 
If blnLoggedIn Then
  If CInt(LogonRS("log_access") < 3 Then
     session("logadmin") = True
     session ("loguser") = False
     Response.Redirect("Adminmenu.asp")
  Else
     session("logadmin") = False
     session ("loguser") = True
     Response.Redirect("usermenu.asp")
  End If
Else
     Response.Redirect("Loginerror.asp")
End If

and an include file:

asp Code:
<%
If Session("usr_name") = "" Then Response.Redirect("SomePage.asp")
%>


Ok. So the first snipped of code is your LoginProcess that I refactored a little bit and I tried to keep it as close to what you had as I could. First two variables:

Dim iAccessLevel
Dim blnLoggedIn

AccessLevel will tell you the AccessLevel of the current user and the LoggedIn variable will be a boolean value stating weather or not the user has logged in. Next I added a test for .EOF if this returns true it means that the RecordSet is empty and no data was returned from your database. It is because of this addition that I commented out the if inside the .EOF test since they tell you really the same thing. Next I set up your session variables for the logged in user and set blnLoggedIn to true. I then close the RecordSet object and set it to Nothing. Finally I have a nested if that evaluates where to send the user which is pretty self explanatory.

The next bit of code is code you shoudl drop into an include file. All it does is check to see if the value of a session variable is empty or not, if it is it redirects otherwise it does nothing. Since you are using an access Level variable, you will probably want to change this code to work off of that but, since i dont know your business logic, I am not of much use there.

Finally to glue this all together you would drop the include file onto your protected pages likes so:

<!--include file="SecurityGuard.inc" -->

Place this at the top of your protected page.

Two last things: the reason I broke the code out that resides inside the nested if is because you were redirecting the user before you had closed your ADO objects (RecordSet, Connect) and this is a very very bad practice. The long and the short of it is, unless you do this explicitly, you can run into memory leaks and application degradation is the end result which nobody wants. Second, do some reading up on SQL Injection and how to prevent it. Attacking the code that you have provided would prove trivial.

hth.
-Doug
__________________
===============================================
Doug Parsons
Wrox online library: Wrox Books 24 x 7
Did someone here help you? Click on their post!
"Easy is the path to wisdom for those not blinded by themselves."
===============================================