I'm new to .ASP but trying to pick it up. What I'm trying to accomplish is to have a simple way to have users login from the main site page and each go to their designated url. There will be a seperate page for users of each company. There will be a very small amount of traffic. When I came on board the company only had a site with their address posted but the owner asked for this. Anyway, I've found tons of examples for .asp login scripts that will check authorization of users to a single page but none that have the logic to send each to their own page. Currently I have the following and I know one problem is that it is unsecure. At this point I'm not sure if it would be easier to use PHP or something else. Any comments would be appreciated.

I'm using the latest MySQL database and the current checkuser.asp code is below.

<%

Dim adoCon
Dim strCon
Dim rsCheckUser
Dim strAccessDB
Dim strSQL
Dim strSQL1
Dim strUrl
Dim strUserName
'will store the temp records
Dim rstemp

strUserName = Request.Form("txtUserName")
strAccessDB = "users"
Set adoCon = Server.CreateObject("ADODB.Connection")
strCon = "Driver={MySQL ODBC 3.51 Driver};uid=root;password=lookout;Server=localhost ;Option=16834;Database=CheckUser;"

adoCon.Open strCon

Set rsCheckUser = Server.CreateObject("ADODB.Recordset")
strSQL = "SELECT tblUsers.Password FROM tblUsers WHERE tblUsers.UserID ='" & strUserName & "'"
rsCheckUser.Open strSQL, strCon

'Query to pull the url from the DB'

strSQL1 = "SELECT tblUsers.Url FROM tblUsers WHERE tblUsers.UserID ='" & strUserName & "'"
set rstemp=adoCon.execute(strSQL1)
strUrl=rstemp("Url")
If NOT rsCheckUser.EOF Then


                'Read in the password for the user from the database

                If (Request.Form("txtUserPass")) = rsCheckUser("Password") Then
                                Session("blnIsUserGood") = True

                                Set adoCon = Nothing

                                Set strCon = Nothing

                                Set rsCheckUser = Nothing


           'this will direct user to this address.’

            Response.Redirect ('" & strUrl & "') 'Doesn't work'

            Response.Redirect"abc.asp'" & strUrl & "'" 'doesn't work'

                End If

End If

Any input is appreciated. Maybe I'm way off track and there is an easier way to go that is secure?? Thanks in advance for any help given.

You need to do something like this

If strUrl = "url1" Then
Response.Redirect url1
ElseIf strUrl = "url2" Then
Response.Redirect url2
else
End If

Future,

I don't understand what I will gain by that code. I don't really need to check to see if the url is correct by comparing url to url. I need to redirect to a url if by username if user/pass match. The thing is that I can't seem to pass the url from the DB as a string in the redirect statement. Also, this is insecure and I'm hoping to secure it. Am I making any sense? Probably not. LOL! Thanks a ton for the comment.

If the Url is in the strUrlfield, then this should work:

Response.Redirect (strUrl)

strUrl is already a string, so there is no need to put it in quotes.

I don't know about your database setup, but personally I would do something like this:


Dim password
Dim userName
Dim sql

password = Replace(Request.Form("txtPassword"), "'", "''")
userName = Replace(Request.Form("txtUserName"), "'", "''")

sql = "SELECT RedirectUrl FROM UserTable WHERE UserName = '" & userName & "' AND Password = '" & password & "'"

' Open connection and execute sql
If Not rsUser.EOF Then
  strUrl = rsUser("RedirectUrl ")
End If
rsUser.Close

If strUrl <> "" Then
  Response.Redirect(strUrl)
End If

Note that I am using Replace to minimize the risk of Sql injection (people inserting SQL statements instead of a user name or password). However, this method is definitely not secure enough. It would be much better to use Stored Procedures or parameterized queries. But that's a topic for another post.... ;)

You wouldn't gain anything from switching to PHP. When it comes down to stuff like this, both languages offer equal opportunities.

Cheers,

Imar



---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
While typing this post, I was listening to: Humming Roseland NYC Live by Portishead (From the album: Portishead) What's This?

sorry i think i totally misunderstood what you are trying to do, are you trying to redirect to the original url after being logged in?
if so i can help

I'm sorry I was unclear. What I'm trying to accomplish is to have each user login and have it check the database to see where that user's home page (if you want to call it that) should be. Each customer will only have access to their own customer page after login which will not be the original login page but one with a list of jobs, etc. for their company. I hope this clears it up. Thanks for the effort here. :)

Hi Kainan,

Doesn't my post answer that question? The Url you want to redirect to can be stored in the database together with the customer details.

Let me know if you need more help.

Cheers,

Imar
---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
While typing this post, I was listening to: Laichzeit by Rammstein (Track 10 from the album: Herzeleid) What's This?

Imar,

Now that I look at it I do see that your code looks like what I'm looking for, although different than what I thought. What I'm concerned with is the lack of a session or code to stop people from seeing the URL and simply typing it in to bypass the login entirely. Thanks a ton! If you have other suggestions then please post up. :)

Why not create a session object on the login page then check that session object on the users homepage

Session ("Url") = (strUrl)

At the top of the homepage
first query the database for the url then
Check the match

If Session ("Url") = (strUrl)
Then

and at the End of the code

Else
Response.Redirect (strUrl)
EndIf

totally off the top of my head but should work

What futurefiles is suggesting is indeed part of what you need.

The principle I showed you is only used to determine the page you want to redirect to. It does *not* provide a security mechanism in any way. But then again, I don't think you asked for that in your first post ;)

Anyway, on the login page, you could set a session variable that determines what page(s) the user is allowed to see. You can store the user's ID, the root URL or anything else you see fit.

In the pages you're protecting, check for this session variable:

<%
  If Session("CompanyUrl") <> "SomeCompanyNameUrl" Then
    Response.Redirect("NoAccess.asp")
  End If
%>

This assumes that each company has its own set of files, and that you include this code in each page for each customer. The "SomeCompanyNameUrl" is hardcoded for each company in each file.

Alternatively, if you're willing to take a (minor) performance hit you can check the current Url (using Request.ServerVariables("SCRIPT_NAME") and Request.ServerVariables("HTTP_HOST")) and then query the database on each request, and find out if the user is allowed to view the requested Url.

For that to work, you'll need to store the user's name in a session so you can send it in every page request.

HtH,

Imar
---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.