 |
| Classic ASP Basics For beginner programmers starting with "classic" ASP 3, pre-".NET." NOT for ASP.NET 1.0, 1.1, or 2.0 |
Welcome to the p2p.wrox.com Forums.
You are currently viewing the Classic ASP Basics section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
|
|
|
|

July 4th, 2005, 10:29 PM
|
|
Authorized User
|
|
Join Date: Jul 2005
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
asp session
In my login.asp I have the following code:
<%
Dim sSessionID, sMessage
If Len(Request.Form("cmdSubmit")) > 0 then
mySQL = "EXECUTE usp_CheckLogin @usid='" & Trim(Lcase(Request.Form("usid"))) & "',@password='" + Trim(Request.Form("password")) & "'"
call updateDB(mySQL, rs)
sSessionID = rs.Fields(0).Value
rs.close()
CloseDB()
end if
if Len(Trim(Lcase(Request.Form("usid")))) > 0 AND Len(Trim(Request.Form("password"))) > 0 then
If sSessionID = -1 Then
SMessage = "username or password invalid"
else
response.write "<input type='hidden' name='sSessionID' value=" & sSessionID & ">"
Response.Redirect ("home.asp?id=" & sSessionID)
end if
end if
%>
<html><head><title>login page</title></head>
<body>
<form method="post" action="login.asp">
<table>
<tr><td colspan="2"><h3>Login Page</h3></td></tr>
<tr><td colspan="2"><% = sMessage%></td></tr>
<tr>
<td>user name<td>
<td><input type="text" name="usid"
value="<% = Request.Form("usID")%>"></td>
</tr>
<tr>
<td>password<td>
<td><input type="password" name="password"
value="<% = Request.Form("password")%>"></td>
</tr>
<tr>
<td> <td>
<td><input type="submit" name="cmdSubmit" value="login"></td>
</tr>
</table>
</form>
</body>
</html>
In my home.asp I have the following code:
<%
if Len(Request.QueryString("id")) = 0 then
response.redirect "login.asp"
end if
Tem = Trim(Lcase(Request.QueryString("id")))
Tem = replace(Tem,"{","")
Tem = replace(Tem,"}","")
mySQL = "EXECUTE usp_CheckSessionID @sessionID='" & Tem & "'"
call updateDB(mySQL, rs)
if rs.Fields(0).Value = -1 then
response.redirect "login.asp"
end if
CloseDB()
%>
In my database_Function.asp I have the following code:
<%
dim objConn,rs
sub openDB()
set objConn = Server.CreateObject("ADODB.Connection")
objConn.Open "PROVIDER=SQLOLEDB;DATA SOURCE=127.0.0.1;UID=mama;PWD=papa;DATABASE=Godson "
end sub
sub updateDB(SQL,rs)
openDB()
set rs = objConn.Execute(SQL)
end sub
sub getFromDB(SQL,rs,filename)
openDb()
set rs = Server.CreateObject("ADODB.Recordset")
rs.lockType = adLockReadOnly
rs.cursorType = adOpenStatic
rs.Open SQL, objConn
end sub
sub closeDB()
objConn.Close
set objConn = nothing
end sub
%>
These are tables and procedures created in ms sql:
create table tbl_users
(
SessionID varchar(255) Primary Key,
usID Varchar(20),
Password Varchar(20),
LastUpdate Smalldatetime
);
Create Procedure usp_CheckSessionID
@sessionID Varchar(255)
As SET NOCOUNT ON
if EXISTS(SELECT top 1 * FROM tbl_users WHERE sessionID=@sessionID AND DATEDIFF(n,LastUpdate,GETDATE())<=20)
begin
update tbl_users set LastUpdate = GETDATE() WHERE sessionID=@sessionID
Select 0
end
else
Select -1
Return
GO
create procedure usp_CheckLogin
@usID Varchar(20),
@password varchar(20)
As SET NOCOUNT ON
Declare @sessionID as UNIQUEIDENTIFIER
Declare @session as Varchar(255)
if exists(Select top 1 * from tbl_users where usID=@usID AND password=@password)
Begin
set @sessionID = NEWID()
set @session = CONVERT(Varchar(255),@sessionID)
Update tbl_users Set sessionID=@session,LastUpdate=GetDate() where usID = @usID and password = @password
Select @sessionID
End
else
Select -1
Return
GO
Everything works fine. However there is a problem. The problem is:
In my login.asp page requires me to enter the username and password. It works fine. When I enter a valid username and password it will redirect me to home.asp with a link as followed for example http://localhost/Eugene/home.asp?id={D8E3C5D2-DEFD-4F99-8F35-AC0CF8481505}.
This works fine. However in terms of security this link http://localhost/Eugene/home.asp?id={D8E3C5D2-DEFD-4F99-8F35-AC0CF8481505} will work for as long as (SELECT top 1 * FROM tbl_users WHERE sessionID=@sessionID AND DATEDIFF(n,LastUpdate,GETDATE())<=20) even when I close my browser window, open it again and type http://localhost/Eugene/home.asp?id={D8E3C5D2-DEFD-4F99-8F35-AC0CF8481505}.
Is there a way to keep id={D8E3C5D2-DEFD-4F99-8F35-AC0CF8481505} hidden across different pages for security purpose without using session variables, cookies and querystring.
Your help is kindly appreciated.
Regards
Eugene Anthony
|
|

July 4th, 2005, 10:56 PM
|
|
Friend of Wrox
|
|
Join Date: Jan 2004
Posts: 1,870
Thanks: 12
Thanked 20 Times in 20 Posts
|
|
Use hidden form variables
Wind is your friend
Matt
|
|

July 4th, 2005, 11:06 PM
|
|
Authorized User
|
|
Join Date: Jul 2005
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
I did but it does not work in my case. Could u show me how can it be done in my code, and will work.
|
|

July 4th, 2005, 11:30 PM
|
|
Friend of Wrox
|
|
Join Date: Jan 2004
Posts: 1,870
Thanks: 12
Thanked 20 Times in 20 Posts
|
|
it wont work with a response.redirect. If you submit a form it will, it works like any other form variable. Dont forget to assign a value to it.
Can I write a page for you, no. Can I assist you to trouble shoot a "problematic piece of code", yes. Have a go, when you hit a wall post the "problematic code" for assitance.
Wind is your friend
Matt
|
|

July 5th, 2005, 12:27 AM
|
|
Authorized User
|
|
Join Date: Jul 2005
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
Hiding stuff in/from the client has nothing whatsoever to do with security. You cannot maintain a "session" without passing a token back and forth between the client and server. If you feel this exposes you to the risk of a man-in-the-middle attack, then use SSL. But even then you will need to keep passing the token.
So the short answer is: NO.
From your point of view, do u think my program will be highly exposed to hacking such as sql injection?.
Regards
Eugene
|
|

July 5th, 2005, 12:48 AM
|
|
Friend of Wrox
|
|
Join Date: Jan 2004
Posts: 1,870
Thanks: 12
Thanked 20 Times in 20 Posts
|
|
Are you chatting with your self? Im confused.
Wind is your friend
Matt
|
|

July 5th, 2005, 04:56 AM
|
|
Authorized User
|
|
Join Date: Jul 2005
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
ops im sorry, I forgot to add the sentence "This is a feedback I received in regards to my question". Please accept my apology for the confusion.
|
|

July 5th, 2005, 11:38 PM
|
|
Authorized User
|
|
Join Date: Jul 2005
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
I found the solution. I truely appreciate your help. Thank You.
|
|
 |