Wrox Programmer Forums
|
Classic ASP Basics For beginner programmers starting with "classic" ASP 3, pre-".NET." NOT for ASP.NET 1.0, 1.1, or 2.0
Welcome to the p2p.wrox.com Forums.

You are currently viewing the Classic ASP Basics section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old July 4th, 2005, 10:29 PM
Authorized User
 
Join Date: Jul 2005
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default asp session

In my login.asp I have the following code:



<%
Dim sSessionID, sMessage

If Len(Request.Form("cmdSubmit")) > 0 then

mySQL = "EXECUTE usp_CheckLogin @usid='" & Trim(Lcase(Request.Form("usid"))) & "',@password='" + Trim(Request.Form("password")) & "'"
call updateDB(mySQL, rs)

sSessionID = rs.Fields(0).Value
rs.close()
CloseDB()

end if

if Len(Trim(Lcase(Request.Form("usid")))) > 0 AND Len(Trim(Request.Form("password"))) > 0 then

If sSessionID = -1 Then
SMessage = "username or password invalid"
else
response.write "<input type='hidden' name='sSessionID' value=" & sSessionID & ">"
Response.Redirect ("home.asp?id=" & sSessionID)
end if

end if
%>

<html><head><title>login page</title></head>
<body>
<form method="post" action="login.asp">
<table>
<tr><td colspan="2"><h3>Login Page</h3></td></tr>
<tr><td colspan="2"><% = sMessage%></td></tr>
<tr>
<td>user name<td>
<td><input type="text" name="usid"
value="<% = Request.Form("usID")%>"></td>
</tr>
<tr>
<td>password<td>
<td><input type="password" name="password"
value="<% = Request.Form("password")%>"></td>
</tr>
<tr>
<td> <td>
<td><input type="submit" name="cmdSubmit" value="login"></td>
</tr>
</table>
</form>
</body>
</html>


In my home.asp I have the following code:



<%
if Len(Request.QueryString("id")) = 0 then
response.redirect "login.asp"
end if

Tem = Trim(Lcase(Request.QueryString("id")))
Tem = replace(Tem,"{","")
Tem = replace(Tem,"}","")

mySQL = "EXECUTE usp_CheckSessionID @sessionID='" & Tem & "'"
call updateDB(mySQL, rs)

if rs.Fields(0).Value = -1 then
response.redirect "login.asp"
end if

CloseDB()
%>


In my database_Function.asp I have the following code:

<%

dim objConn,rs

sub openDB()

set objConn = Server.CreateObject("ADODB.Connection")
objConn.Open "PROVIDER=SQLOLEDB;DATA SOURCE=127.0.0.1;UID=mama;PWD=papa;DATABASE=Godson "

end sub

sub updateDB(SQL,rs)

openDB()
set rs = objConn.Execute(SQL)

end sub

sub getFromDB(SQL,rs,filename)

openDb()

set rs = Server.CreateObject("ADODB.Recordset")
rs.lockType = adLockReadOnly
rs.cursorType = adOpenStatic
rs.Open SQL, objConn

end sub

sub closeDB()

objConn.Close
set objConn = nothing

end sub

%>


These are tables and procedures created in ms sql:

create table tbl_users
(
SessionID varchar(255) Primary Key,
usID Varchar(20),
Password Varchar(20),
LastUpdate Smalldatetime
);



Create Procedure usp_CheckSessionID
@sessionID Varchar(255)
As SET NOCOUNT ON

if EXISTS(SELECT top 1 * FROM tbl_users WHERE sessionID=@sessionID AND DATEDIFF(n,LastUpdate,GETDATE())<=20)

begin
update tbl_users set LastUpdate = GETDATE() WHERE sessionID=@sessionID
Select 0
end

else
Select -1

Return
GO



create procedure usp_CheckLogin
@usID Varchar(20),
@password varchar(20)
As SET NOCOUNT ON

Declare @sessionID as UNIQUEIDENTIFIER
Declare @session as Varchar(255)

if exists(Select top 1 * from tbl_users where usID=@usID AND password=@password)

Begin
set @sessionID = NEWID()
set @session = CONVERT(Varchar(255),@sessionID)
Update tbl_users Set sessionID=@session,LastUpdate=GetDate() where usID = @usID and password = @password
Select @sessionID
End

else
Select -1

Return
GO


Everything works fine. However there is a problem. The problem is:

In my login.asp page requires me to enter the username and password. It works fine. When I enter a valid username and password it will redirect me to home.asp with a link as followed for example http://localhost/Eugene/home.asp?id={D8E3C5D2-DEFD-4F99-8F35-AC0CF8481505}.

This works fine. However in terms of security this link http://localhost/Eugene/home.asp?id={D8E3C5D2-DEFD-4F99-8F35-AC0CF8481505} will work for as long as (SELECT top 1 * FROM tbl_users WHERE sessionID=@sessionID AND DATEDIFF(n,LastUpdate,GETDATE())<=20) even when I close my browser window, open it again and type http://localhost/Eugene/home.asp?id={D8E3C5D2-DEFD-4F99-8F35-AC0CF8481505}.

Is there a way to keep id={D8E3C5D2-DEFD-4F99-8F35-AC0CF8481505} hidden across different pages for security purpose without using session variables, cookies and querystring.

Your help is kindly appreciated.

Regards

Eugene Anthony

 
Old July 4th, 2005, 10:56 PM
Friend of Wrox
 
Join Date: Jan 2004
Posts: 1,870
Thanks: 12
Thanked 20 Times in 20 Posts
Send a message via AIM to mat41
Default

Use hidden form variables

Wind is your friend
Matt
 
Old July 4th, 2005, 11:06 PM
Authorized User
 
Join Date: Jul 2005
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I did but it does not work in my case. Could u show me how can it be done in my code, and will work.

 
Old July 4th, 2005, 11:30 PM
Friend of Wrox
 
Join Date: Jan 2004
Posts: 1,870
Thanks: 12
Thanked 20 Times in 20 Posts
Send a message via AIM to mat41
Default

it wont work with a response.redirect. If you submit a form it will, it works like any other form variable. Dont forget to assign a value to it.

Can I write a page for you, no. Can I assist you to trouble shoot a "problematic piece of code", yes. Have a go, when you hit a wall post the "problematic code" for assitance.

Wind is your friend
Matt
 
Old July 5th, 2005, 12:27 AM
Authorized User
 
Join Date: Jul 2005
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hiding stuff in/from the client has nothing whatsoever to do with security. You cannot maintain a "session" without passing a token back and forth between the client and server. If you feel this exposes you to the risk of a man-in-the-middle attack, then use SSL. But even then you will need to keep passing the token.

So the short answer is: NO.

From your point of view, do u think my program will be highly exposed to hacking such as sql injection?.

Regards

Eugene

 
Old July 5th, 2005, 12:48 AM
Friend of Wrox
 
Join Date: Jan 2004
Posts: 1,870
Thanks: 12
Thanked 20 Times in 20 Posts
Send a message via AIM to mat41
Default

Are you chatting with your self? Im confused.


Wind is your friend
Matt
 
Old July 5th, 2005, 04:56 AM
Authorized User
 
Join Date: Jul 2005
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default

ops im sorry, I forgot to add the sentence "This is a feedback I received in regards to my question". Please accept my apology for the confusion.

 
Old July 5th, 2005, 11:38 PM
Authorized User
 
Join Date: Jul 2005
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I found the solution. I truely appreciate your help. Thank You.






Similar Threads
Thread Thread Starter Forum Replies Last Post
ASP.Net without session. soccers_guy10 ASP.NET 1.0 and 1.1 Professional 1 May 8th, 2007 05:49 AM
Session Vs ASP cookies mikedeepak Classic ASP Professional 1 June 19th, 2006 12:25 PM
session variables in asp to asp.net marvz ASP.NET 2.0 Basics 0 August 1st, 2005 03:09 AM
ASP Session End xergic Classic ASP Components 13 May 3rd, 2005 01:48 AM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.