Wrox Programmer Forums
|
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: Beginning ASP 3.0 section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old January 29th, 2009, 09:49 AM
Authorized User
 
Join Date: Nov 2007
Posts: 22
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to chris1012
Default Sessions and secure area problem

hey guys i was wondering if anyone could me with this basically i've made a database driven website using an access database but its not completely secure and i can't understand why basically when i type in the hyper link it it still gives me access to the admin area my codes posted below any help is greatly appreciated...

login.asp


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<TITLE> Coach To Go Login</TITLE>
<META NAME="Generator" CONTENT="Christopher Elshaw">
<META NAME="Author" CONTENT="">
<META NAME="Keywords" CONTENT="Christopher Elshaw">
<META NAME="Description" CONTENT="Coach To Go Company">
<link rel="stylesheet" href="..\CSS\CSS.css" type="text/css" />
<script language="JavaScript" type="text/javascript">
function validate()
{
lf=document.logger
un=lf.username.value
pw=lf.password.value
submitOK="True"
if (un.length <5) {
alert("the username you provided is not valid")
submitOK="False" // set to false
}
if (pw.length <7) // code is less than 1 or greater than 5
{
alert("please enter a password between 6 and 12 characters")
submitOK="False"
}
if (submitOK=="False") // if any test fails then return a boolean false
{
return false
}
}
</script>
</HEAD>
<body>
<div id="container">
<!--.................................................. ...logo = banner............................................ ...........................!-->
<div id="logo">
<img src="../images/ctg.gif" width="1200" height="250" />
</div>
<!--.................................................. ..Navigation section........................................... ..........................!-->
<div id="toplinks" >
<table>
<tr>
<td>
<A HREF="Home.asp">Home</A> &nbsp &nbsp &nbsp
</td>
<td>
<A HREF="Login.asp">Login</A> &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
</td>
<td>
<A HREF="Search.asp"">Search Holidays</A> &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
</td>
<td>
<A HREF="Help.asp">Help!!!</A> &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
</td>
<td>
<A HREF="Contact.asp">Contact Details</A> &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
</td>
<td>
<A HREF="Feedback.asp">Company Feedback</A>
</td>
</tr>
</table>
</div>
<!--.................................................. ..header.......................................... .......................................!-->
<div id="header">
<br />
<b> <u>Coach To Go Login Service</b> </u>
<br />
<br />
</div>
<!--.................................................. ..intro........................................... ......................................!-->
<div id="intro">
<br />
Welcome to the Coach To Go Login area, this area will provide you with the necessary access
<br />
for both customer and administrators of the Coach To Go Company
<br />
<br />
</div>
<!--...............................................mai n site content........................................... ..................................!-->
<div id="content">
<table width="1020px">
<tr>
<td width="50%">
<br />
&nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
Please enter your username and password below to get
<br />
&nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
access to your Coach To Go account
<br />
<br />
<Form name="logger" id="form1" action="logon_process.asp" method="post" onsubmit="return validate()">
<!--Java Script Validation and bring data from database_!-->
&nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
Username:
&nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
<input id="u1" type="text" name="username" size="20" maxlength="15">*
<br />
&nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
Password:
&nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
<input id="p1" type="password" name="password" size="20" maxlength="12">*
&nbsp &nbsp &nbsp
<input type="submit" value="Login" id="loginbut"/>
</form>
</td>
<td width="50%" height="0%">
If you would like to use the Coach To Go system
<br />
please click the register button displayed below
<br />
&nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
<form method="LINK" Action="Register.asp">
<input type="submit" value="Register with Coach To Go">
</form>
</td>
</tr>
</table>
</div>
<!--.................................................. ...Footer......................................... ..........................................!-->
<div id="Footer">
(C) Coach To Go LTD <%response.write(date())%>.
</div>
</div>
</body>
</html>


loginerror.asp

<%@LANGUAGE=VBScript%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>* FAILED LOGON ATTEMPT *</title>
<meta name="Generator" content="Login Error" />
<meta name="Author" content="Christopher Elshaw" />
<meta name="Keywords" content="Login Error" />
<meta name="Description" content="This page displays a login error" />
<!-- return to login after 5 seconds!-->
<meta http-equiv="refresh" content="5;URL=Login.asp">
<link rel="stylesheet" href="..\CSS\CSS.css" type="text/css" />
</head>
<body>
<div id="container">
<!--.................................................. ...Header = banner............................................ ...........................!-->
<div id="logo">
<img src="../images/ctg.gif" width="1200" height="250" />
</div>
<!--.................................................. ...Navigation Links............................................. ..........................!-->
<div id="toplinks" >
<A HREF="Home.asp">Home</A> &nbsp &nbsp &nbsp
<A HREF="Login.asp">Login</A> &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
<A HREF="Search.asp"">Search Holidays</A> &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
<A HREF="Help.asp">Help!!!</A> &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
<A HREF="Contact.asp">Contact Details</A> &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
<A HREF="Feedback.asp">Company Feedback</A>
</div>
<!--.................................................. ...Intro To the page.............................................. .........................!-->
<div id="intro">
Login Error
</div>
<!--.................................................. ...Content for the page.............................................. .........................!-->
<div id="content">
&nbsp &nbsp &nbsp &nbsp &nbsp &nbsp I'me sorry but the login details you provided where incorrect please try again
</div>
<!--.................................................. ...Footer for the page.............................................. .........................!-->
<div id="footer">
(C) Coach To Go LTD <%response.write(date())%>.
</div>
</body>
</html>

login_process.asp

<%@ Language=VBScript %>
<%
'user logon process script
'create a connection to the advanced data object db
Dim connection
Dim DesRs
set connection=server.CreateObject("adodb.connection")
connection.Provider="Microsoft.JET.OLEDB.4.0"
connection.Open Server.Mappath("..\database\CoachToGo.mdb")
'variable creates logon record set'
set LogonRs=server.CreateObject("adodb.recordset")
' send SQL string to for login validation'
LogonRs.Open "SELECT * from logon WHERE log_name='" & _
request("username") & "'" & " AND log_password='" & _
request("password") & "'",connection,adOpenKeyset,adLockOptimistic

' validate by value 1
If LogonRs.RecordCount=1 Then ' validated if 1 record found
' set session variable to be true (true for time user is logged in)
session("usr_accesslevel") = LogonRs("log_access")
session("usr_name") = LogonRs("log_realname")
session("usr_initials") = LogonRs("log_initials")
If session("usr_accesslevel")<3 Then
session("logadmin") = True
session ("loguser") = False
Response.Redirect("Adminmenu.asp")
Else
session("logadmin") = False
session ("loguser") = True
Response.Redirect("usermenu.asp")
End If
Else
' maintain "false" status
session("logadmin") = False
session ("loguser") = False
' inform user that attempt has been unsuccessful
Response.Redirect("Loginerror.asp")
End If
%>

session_stop.asp

<%@ Language=VBScript %>
<%
option Explicit
session("loggedin")=FALSE
Session.Contents.RemoveAll()
Session.Abandon
'return to log-in page
Response.redirect "sessiondirect.asp"
%>

session_direct.asp

<%@ Language=VBScript %>
<%
' check current session var for user and redirect
if session("loggedin")=FALSE Then
Response.Redirect("loginerror.asp")
else
Response.Redirect("adminmenu.asp")
end if
%>

what am i doing wrong what do i need?
__________________
in opposite world i love programming
 
Old January 30th, 2009, 12:40 AM
Wrox Author
 
Join Date: Oct 2005
Posts: 4,104
Thanks: 1
Thanked 64 Times in 64 Posts
Send a message via AIM to dparsons
Default

I had to guess a little at the program flow but, my guess is, when you do this

asp Code:
if session("loggedin")=FALSE Then

in your Session_Direct page it is always dropping into the else because it doesnt look like you ever set a session variable named loggedin in the code you have provided.

Moving on this seems a little bit of a convoluted process that you have setup! What you are doing with 4 pages could proably be cleaned up a little. As far as logic goes, you really only need your LoginProcess page. Here is your code refactored a tiny bit:

asp Code:
Dim iAccessLevel
Dim blnLoggedIn
' validate by value 1
 
If Not LogonRs.EOF
     iAccessLevel = LogonRs("log_Access")
     '
If LogonRs.RecordCount=1 Then ' validated if 1 record found
           session("usr_accesslevel") = LogonRs("log_access")
           session("usr_name") = LogonRs("log_realname")
           session("usr_initials") = LogonRs("log_initials")
           blnLoggedIn = True
      '
Else
      '     This seems like a logic Error
      '
      session("logadmin") = False
      '      session ("loguser") = False
      '
End If
Else blnLoggedIn = false
End If
 
LogonRs.Close()
LogonRs = Nothing
 
If blnLoggedIn Then
  If CInt(LogonRS("log_access") < 3 Then
     session("logadmin") = True
     session ("loguser") = False
     Response.Redirect("Adminmenu.asp")
  Else
     session("logadmin") = False
     session ("loguser") = True
     Response.Redirect("usermenu.asp")
  End If
Else
     Response.Redirect("Loginerror.asp")
End If

and an include file:

asp Code:
<%
If Session("usr_name") = "" Then Response.Redirect("SomePage.asp")
%>


Ok. So the first snipped of code is your LoginProcess that I refactored a little bit and I tried to keep it as close to what you had as I could. First two variables:

Dim iAccessLevel
Dim blnLoggedIn

AccessLevel will tell you the AccessLevel of the current user and the LoggedIn variable will be a boolean value stating weather or not the user has logged in. Next I added a test for .EOF if this returns true it means that the RecordSet is empty and no data was returned from your database. It is because of this addition that I commented out the if inside the .EOF test since they tell you really the same thing. Next I set up your session variables for the logged in user and set blnLoggedIn to true. I then close the RecordSet object and set it to Nothing. Finally I have a nested if that evaluates where to send the user which is pretty self explanatory.

The next bit of code is code you shoudl drop into an include file. All it does is check to see if the value of a session variable is empty or not, if it is it redirects otherwise it does nothing. Since you are using an access Level variable, you will probably want to change this code to work off of that but, since i dont know your business logic, I am not of much use there.

Finally to glue this all together you would drop the include file onto your protected pages likes so:

<!--include file="SecurityGuard.inc" -->

Place this at the top of your protected page.

Two last things: the reason I broke the code out that resides inside the nested if is because you were redirecting the user before you had closed your ADO objects (RecordSet, Connect) and this is a very very bad practice. The long and the short of it is, unless you do this explicitly, you can run into memory leaks and application degradation is the end result which nobody wants. Second, do some reading up on SQL Injection and how to prevent it. Attacking the code that you have provided would prove trivial.

hth.
-Doug
__________________
===============================================
Doug Parsons
Wrox online library: Wrox Books 24 x 7
Did someone here help you? Click on their post!
"Easy is the path to wisdom for those not blinded by themselves."
===============================================





Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem with sessions AndeeeUk Struts 2 July 15th, 2008 12:35 AM
Problem passing through sessions dmlocke PHP Databases 4 June 26th, 2006 08:08 PM
Protected Area Demo ASP.NET 2.0 Basics 0 May 25th, 2006 12:12 PM
Secure calvados Pro VB.NET 2002/2003 0 January 13th, 2005 08:40 AM
Mixing classic ASP sessions with ASP.NET sessions scorpion_king General .NET 2 August 4th, 2004 08:20 AM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.