I had to guess a little at the program flow but, my guess is, when you do this
if session("loggedin")=FALSE Then
in your Session_Direct page it is always dropping into the else because it doesnt look like you ever set a session variable named loggedin in the code you have provided.
Moving on this seems a little bit of a convoluted process that you have setup! What you are doing with 4 pages could proably be cleaned up a little. As far as logic goes, you really only need your LoginProcess page. Here is your code refactored a tiny bit:
' validate by value 1
If Not LogonRs.EOF
iAccessLevel = LogonRs("log_Access")
'If LogonRs.RecordCount=1 Then ' validated if 1 record found
session("usr_accesslevel") = LogonRs("log_access")
session("usr_name") = LogonRs("log_realname")
session("usr_initials") = LogonRs("log_initials")
blnLoggedIn = True
' This seems like a logic Error
' session("logadmin") = False
' session ("loguser") = False
Else blnLoggedIn = false
LogonRs = Nothing
If blnLoggedIn Then
If CInt(LogonRS("log_access") < 3 Then
session("logadmin") = True
session ("loguser") = False
session("logadmin") = False
session ("loguser") = True
and an include file:
If Session("usr_name") = "" Then Response.Redirect("SomePage.asp")
Ok. So the first snipped of code is your LoginProcess that I refactored a little bit and I tried to keep it as close to what you had as I could. First two variables:
AccessLevel will tell you the AccessLevel of the current user and the LoggedIn variable will be a boolean value stating weather or not the user has logged in. Next I added a test for .EOF if this returns true it means that the RecordSet is empty and no data was returned from your database. It is because of this addition that I commented out the if inside the .EOF test since they tell you really the same thing. Next I set up your session variables for the logged in user and set blnLoggedIn to true. I then close the RecordSet object and set it to Nothing. Finally I have a nested if that evaluates where to send the user which is pretty self explanatory.
The next bit of code is code you shoudl drop into an include file. All it does is check to see if the value of a session variable is empty or not, if it is it redirects otherwise it does nothing. Since you are using an access Level variable, you will probably want to change this code to work off of that but, since i dont know your business logic, I am not of much use there.
Finally to glue this all together you would drop the include file onto your protected pages likes so:
<!--include file="SecurityGuard.inc" -->
Place this at the top of your protected page.
Two last things: the reason I broke the code out that resides inside the nested if is because you were redirecting the user before you had closed your ADO objects (RecordSet, Connect) and this is a very very bad practice. The long and the short of it is, unless you do this explicitly, you can run into memory leaks and application degradation is the end result which nobody wants. Second, do some reading up on SQL Injection and how to prevent it. Attacking the code that you have provided would prove trivial.