Wrox Programmer Forums

Need to download code?

View our list of code downloads.

| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: Beginning ASP 3.0 section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developers’ questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
 
 
Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old January 29th, 2009, 09:49 AM
Authorized User
 
Join Date: Nov 2007
Location: Grimsby, North East Lincolnshire, United Kingdom.
Posts: 22
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to chris1012
Default Sessions and secure area problem

hey guys i was wondering if anyone could me with this basically i've made a database driven website using an access database but its not completely secure and i can't understand why basically when i type in the hyper link it it still gives me access to the admin area my codes posted below any help is greatly appreciated...

login.asp


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<TITLE> Coach To Go Login</TITLE>
<META NAME="Generator" CONTENT="Christopher Elshaw">
<META NAME="Author" CONTENT="">
<META NAME="Keywords" CONTENT="Christopher Elshaw">
<META NAME="Description" CONTENT="Coach To Go Company">
<link rel="stylesheet" href="..\CSS\CSS.css" type="text/css" />
<script language="JavaScript" type="text/javascript">
function validate()
{
lf=document.logger
un=lf.username.value
pw=lf.password.value
submitOK="True"
if (un.length <5) {
alert("the username you provided is not valid")
submitOK="False" // set to false
}
if (pw.length <7) // code is less than 1 or greater than 5
{
alert("please enter a password between 6 and 12 characters")
submitOK="False"
}
if (submitOK=="False") // if any test fails then return a boolean false
{
return false
}
}
</script>
</HEAD>
<body>
<div id="container">
<!--.................................................. ...logo = banner............................................ ...........................!-->
<div id="logo">
<img src="../images/ctg.gif" width="1200" height="250" />
</div>
<!--.................................................. ..Navigation section........................................... ..........................!-->
<div id="toplinks" >
<table>
<tr>
<td>
<A HREF="Home.asp">Home</A> &nbsp &nbsp &nbsp
</td>
<td>
<A HREF="Login.asp">Login</A> &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
</td>
<td>
<A HREF="Search.asp"">Search Holidays</A> &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
</td>
<td>
<A HREF="Help.asp">Help!!!</A> &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
</td>
<td>
<A HREF="Contact.asp">Contact Details</A> &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
</td>
<td>
<A HREF="Feedback.asp">Company Feedback</A>
</td>
</tr>
</table>
</div>
<!--.................................................. ..header.......................................... .......................................!-->
<div id="header">
<br />
<b> <u>Coach To Go Login Service</b> </u>
<br />
<br />
</div>
<!--.................................................. ..intro........................................... ......................................!-->
<div id="intro">
<br />
Welcome to the Coach To Go Login area, this area will provide you with the necessary access
<br />
for both customer and administrators of the Coach To Go Company
<br />
<br />
</div>
<!--...............................................mai n site content........................................... ..................................!-->
<div id="content">
<table width="1020px">
<tr>
<td width="50%">
<br />
&nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
Please enter your username and password below to get
<br />
&nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
access to your Coach To Go account
<br />
<br />
<Form name="logger" id="form1" action="logon_process.asp" method="post" onsubmit="return validate()">
<!--Java Script Validation and bring data from database_!-->
&nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
Username:
&nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
<input id="u1" type="text" name="username" size="20" maxlength="15">*
<br />
&nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
Password:
&nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
<input id="p1" type="password" name="password" size="20" maxlength="12">*
&nbsp &nbsp &nbsp
<input type="submit" value="Login" id="loginbut"/>
</form>
</td>
<td width="50%" height="0%">
If you would like to use the Coach To Go system
<br />
please click the register button displayed below
<br />
&nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
<form method="LINK" Action="Register.asp">
<input type="submit" value="Register with Coach To Go">
</form>
</td>
</tr>
</table>
</div>
<!--.................................................. ...Footer......................................... ..........................................!-->
<div id="Footer">
(C) Coach To Go LTD <%response.write(date())%>.
</div>
</div>
</body>
</html>


loginerror.asp

<%@LANGUAGE=VBScript%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>* FAILED LOGON ATTEMPT *</title>
<meta name="Generator" content="Login Error" />
<meta name="Author" content="Christopher Elshaw" />
<meta name="Keywords" content="Login Error" />
<meta name="Description" content="This page displays a login error" />
<!-- return to login after 5 seconds!-->
<meta http-equiv="refresh" content="5;URL=Login.asp">
<link rel="stylesheet" href="..\CSS\CSS.css" type="text/css" />
</head>
<body>
<div id="container">
<!--.................................................. ...Header = banner............................................ ...........................!-->
<div id="logo">
<img src="../images/ctg.gif" width="1200" height="250" />
</div>
<!--.................................................. ...Navigation Links............................................. ..........................!-->
<div id="toplinks" >
<A HREF="Home.asp">Home</A> &nbsp &nbsp &nbsp
<A HREF="Login.asp">Login</A> &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
<A HREF="Search.asp"">Search Holidays</A> &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
<A HREF="Help.asp">Help!!!</A> &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
<A HREF="Contact.asp">Contact Details</A> &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
<A HREF="Feedback.asp">Company Feedback</A>
</div>
<!--.................................................. ...Intro To the page.............................................. .........................!-->
<div id="intro">
Login Error
</div>
<!--.................................................. ...Content for the page.............................................. .........................!-->
<div id="content">
&nbsp &nbsp &nbsp &nbsp &nbsp &nbsp I'me sorry but the login details you provided where incorrect please try again
</div>
<!--.................................................. ...Footer for the page.............................................. .........................!-->
<div id="footer">
(C) Coach To Go LTD <%response.write(date())%>.
</div>
</body>
</html>

login_process.asp

<%@ Language=VBScript %>
<%
'user logon process script
'create a connection to the advanced data object db
Dim connection
Dim DesRs
set connection=server.CreateObject("adodb.connection")
connection.Provider="Microsoft.JET.OLEDB.4.0"
connection.Open Server.Mappath("..\database\CoachToGo.mdb")
'variable creates logon record set'
set LogonRs=server.CreateObject("adodb.recordset")
' send SQL string to for login validation'
LogonRs.Open "SELECT * from logon WHERE log_name='" & _
request("username") & "'" & " AND log_password='" & _
request("password") & "'",connection,adOpenKeyset,adLockOptimistic

' validate by value 1
If LogonRs.RecordCount=1 Then ' validated if 1 record found
' set session variable to be true (true for time user is logged in)
session("usr_accesslevel") = LogonRs("log_access")
session("usr_name") = LogonRs("log_realname")
session("usr_initials") = LogonRs("log_initials")
If session("usr_accesslevel")<3 Then
session("logadmin") = True
session ("loguser") = False
Response.Redirect("Adminmenu.asp")
Else
session("logadmin") = False
session ("loguser") = True
Response.Redirect("usermenu.asp")
End If
Else
' maintain "false" status
session("logadmin") = False
session ("loguser") = False
' inform user that attempt has been unsuccessful
Response.Redirect("Loginerror.asp")
End If
%>

session_stop.asp

<%@ Language=VBScript %>
<%
option Explicit
session("loggedin")=FALSE
Session.Contents.RemoveAll()
Session.Abandon
'return to log-in page
Response.redirect "sessiondirect.asp"
%>

session_direct.asp

<%@ Language=VBScript %>
<%
' check current session var for user and redirect
if session("loggedin")=FALSE Then
Response.Redirect("loginerror.asp")
else
Response.Redirect("adminmenu.asp")
end if
%>

what am i doing wrong what do i need?
__________________
in opposite world i love programming
  #2 (permalink)  
Old January 30th, 2009, 12:40 AM
Wrox Author
Points: 13,255, Level: 49
Points: 13,255, Level: 49 Points: 13,255, Level: 49 Points: 13,255, Level: 49
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Oct 2005
Location: Ohio, USA
Posts: 4,104
Thanks: 1
Thanked 64 Times in 64 Posts
Send a message via AIM to dparsons
Default

I had to guess a little at the program flow but, my guess is, when you do this

asp Code:
if session("loggedin")=FALSE Then

in your Session_Direct page it is always dropping into the else because it doesnt look like you ever set a session variable named loggedin in the code you have provided.

Moving on this seems a little bit of a convoluted process that you have setup! What you are doing with 4 pages could proably be cleaned up a little. As far as logic goes, you really only need your LoginProcess page. Here is your code refactored a tiny bit:

asp Code:
Dim iAccessLevel
Dim blnLoggedIn
' validate by value 1
 
If Not LogonRs.EOF
     iAccessLevel = LogonRs("log_Access")
     '
If LogonRs.RecordCount=1 Then ' validated if 1 record found
           session("usr_accesslevel") = LogonRs("log_access")
           session("usr_name") = LogonRs("log_realname")
           session("usr_initials") = LogonRs("log_initials")
           blnLoggedIn = True
      '
Else
      '     This seems like a logic Error
      '
      session("logadmin") = False
      '      session ("loguser") = False
      '
End If
Else blnLoggedIn = false
End If
 
LogonRs.Close()
LogonRs = Nothing
 
If blnLoggedIn Then
  If CInt(LogonRS("log_access") < 3 Then
     session("logadmin") = True
     session ("loguser") = False
     Response.Redirect("Adminmenu.asp")
  Else
     session("logadmin") = False
     session ("loguser") = True
     Response.Redirect("usermenu.asp")
  End If
Else
     Response.Redirect("Loginerror.asp")
End If

and an include file:

asp Code:
<%
If Session("usr_name") = "" Then Response.Redirect("SomePage.asp")
%>


Ok. So the first snipped of code is your LoginProcess that I refactored a little bit and I tried to keep it as close to what you had as I could. First two variables:

Dim iAccessLevel
Dim blnLoggedIn

AccessLevel will tell you the AccessLevel of the current user and the LoggedIn variable will be a boolean value stating weather or not the user has logged in. Next I added a test for .EOF if this returns true it means that the RecordSet is empty and no data was returned from your database. It is because of this addition that I commented out the if inside the .EOF test since they tell you really the same thing. Next I set up your session variables for the logged in user and set blnLoggedIn to true. I then close the RecordSet object and set it to Nothing. Finally I have a nested if that evaluates where to send the user which is pretty self explanatory.

The next bit of code is code you shoudl drop into an include file. All it does is check to see if the value of a session variable is empty or not, if it is it redirects otherwise it does nothing. Since you are using an access Level variable, you will probably want to change this code to work off of that but, since i dont know your business logic, I am not of much use there.

Finally to glue this all together you would drop the include file onto your protected pages likes so:

<!--include file="SecurityGuard.inc" -->

Place this at the top of your protected page.

Two last things: the reason I broke the code out that resides inside the nested if is because you were redirecting the user before you had closed your ADO objects (RecordSet, Connect) and this is a very very bad practice. The long and the short of it is, unless you do this explicitly, you can run into memory leaks and application degradation is the end result which nobody wants. Second, do some reading up on SQL Injection and how to prevent it. Attacking the code that you have provided would prove trivial.

hth.
-Doug
__________________
===============================================
Doug Parsons
Wrox online library: Wrox Books 24 x 7
Did someone here help you? Click on their post!
"Easy is the path to wisdom for those not blinded by themselves."
===============================================
 


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem with sessions AndeeeUk Struts 2 July 15th, 2008 12:35 AM
Problem passing through sessions dmlocke PHP Databases 4 June 26th, 2006 08:08 PM
Protected Area Demo ASP.NET 2.0 Basics 0 May 25th, 2006 12:12 PM
Secure calvados Pro VB.NET 2002/2003 0 January 13th, 2005 08:40 AM
Mixing classic ASP sessions with ASP.NET sessions scorpion_king General .NET 2 August 4th, 2004 08:20 AM



All times are GMT -4. The time now is 05:07 PM.


Powered by vBulletin®
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.