Wrox Programmer Forums

Need to download code?

View our list of code downloads.

Go Back   Wrox Programmer Forums > Web Programming > Adobe Web Programming > Dreamweaver (all versions)
Password Reminder
Register
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read
Welcome to the p2p.wrox.com Forums.

You are currently viewing the Dreamweaver (all versions) section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developers’ questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
Reply
 
Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old September 6th, 2003, 04:00 AM
Authorized User
 
Join Date: Jun 2003
Location: Dublin, , Ireland.
Posts: 65
Thanks: 0
Thanked 0 Times in 0 Posts
Default Login user & restrict access

I just noticed something the other day on my website.
If a customer logs in to check out his order status, all works fine but if he copys the URL and changes the customerID from let say 555 to lets say 444 which is a valid customerID then he can actually see those orders as well.
I changed the RSOrders to he following code:
<%
Dim rsCustomerOrdersOrdersDetails__MMColParam
rsCustomerOrdersOrdersDetails__MMColParam = "0"
If (Session("MM_Username") <> "") Then
  rsCustomerOrdersOrdersDetails__MMColParam = Session("MM_Username")
End If
%>
<%
set rsCustomerOrdersOrdersDetails = Server.CreateObject("ADODB.Recordset")
rsCustomerOrdersOrdersDetails.ActiveConnection = MM_storeSQL_STRING
rsCustomerOrdersOrdersDetails.Source = "SELECT OrderID, OrderDate, SubTotal, ShippingCost, GrandTotal, OrderStatus, CustomerID, LastName, FirstName, CustomerEmail, BillingAddress, BillingCity, BillingStateOrProvince, BillingPostalCode, BillingCountry, BillingPhoneNumber FROM dbo.CustomerOrdersOrdersDetails WHERE CustomerEmail='" + Replace(rsCustomerOrdersOrdersDetails__MMColParam, "'", "''") + "'"
rsCustomerOrdersOrdersDetails.CursorType = 0
rsCustomerOrdersOrdersDetails.CursorLocation = 2
rsCustomerOrdersOrdersDetails.LockType = 1
rsCustomerOrdersOrdersDetails.Open()
rsCustomerOrdersOrdersDetails_numRows = 0
%>

Does anybody knows a better login process?
Reply With Quote
  #2 (permalink)  
Old September 6th, 2003, 04:36 AM
Imar's Avatar
Wrox Author
Points: 72,055, Level: 100
Points: 72,055, Level: 100 Points: 72,055, Level: 100 Points: 72,055, Level: 100
Activity: 100%
Activity: 100% Activity: 100% Activity: 100%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,086
Thanks: 80
Thanked 1,587 Times in 1,563 Posts
Default

Hi Lucian,

It makes sense that customers can see orders from other customers as well in the current implementation. The Restrict Access to Page behavior that Dreamweaver uses does nothing more than see if a customer is logged in, or not. It doesn't distinguish between customers.

The fix, however, is easy. You should make the following changes:

1. On your login page, where you set Session("MM_Username"), also save the Customer ID in a Session variable:

   Session("MM_CustomerID") = ValueFromRecordset

You'll need to add the CustomerID column to the SQL statement so it is retrieved from the database as well.

2. Change the page where you can view the orders. You basically have two options:

  a) Redirect users when they try to view orders they are not allowed to see. I assume you have something like this to check the access:

Code:
If Session("MM_Username") <> "" Then
  If (true Or CStr(Session("MM_UserAuthorization"))="") Or _
         (InStr(1,MM_authorizedUsers,Session("MM_UserAuthorization"))>=1) Then
    MM_grantAccess = true
  End If
End If
Add the following lines to that code block:

Code:
If (Session("MM_CustomerID") <> Request.QueryString("CustomerID")) Then
    ' A request is made for orders that do no belong to the current customer
    MM_grantAccess = false
End If
This will disallow access to the page when the requested CusomerID does not match the current CustomerID.

  b) Change your SQL statement so it queries just the orders for the current customer:
Code:
rsCustomerOrdersOrdersDetails.Source = "SELECT OrderID, OrderDate, SubTotal,
Code:
ShippingCost, GrandTotal, OrderStatus, CustomerID, LastName, 
FirstName, CustomerEmail, BillingAddress, BillingCity, 
BillingStateOrProvince, BillingPostalCode, BillingCountry, 
BillingPhoneNumber  FROM dbo.CustomerOrdersOrdersDetails
WHERE CustomerEmail='" + Replace rsCustomerOrdersOrdersDetails__MMColParam, "'", "''") 
+ "' AND CustomerID = " & Session("MM_CustomerID")
This will limit the recordset to just the orders that belong to the current customer.

If you have any questions, feel free to ask.

Cheers,

Imar







---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
Reply With Quote
  #3 (permalink)  
Old September 6th, 2003, 06:07 AM
Authorized User
 
Join Date: Jun 2003
Location: Dublin, , Ireland.
Posts: 65
Thanks: 0
Thanked 0 Times in 0 Posts
Default

What do you think about this:

<%
' *** Restrict Access To Page: Grant or deny access to this page
MM_authorizedUsers="CustomerID"
MM_authFailedURL="loginfailed.asp"
MM_grantAccess=false
If Session("MM_Username") <> "" Then
  If (true Or CStr(Session("MM_UserAuthorization"))="") Or _
         (InStr(1,MM_authorizedUsers,Session("MM_UserAuthor ization"))>=1) Then
    MM_grantAccess = true
  End If
End If
If (Session("MM_CustomerID") <> Request.QueryString("CustomerID")) Then
    ' A request is made for orders that do no belong to the current customer
    MM_grantAccess = false
End If

If Not MM_grantAccess Then
  MM_qsChar = "?"
  If (InStr(1,MM_authFailedURL,"?") >= 1) Then MM_qsChar = "&"
  MM_referrer = Request.ServerVariables("URL")
  if (Len(Request.QueryString()) > 0) Then MM_referrer = MM_referrer & "?" & Request.QueryString()
  MM_authFailedURL = MM_authFailedURL & MM_qsChar & "accessdenied=" & Server.URLEncode(MM_referrer)
  Response.Redirect(MM_authFailedURL)
End If
%>
<%
Dim rsCustomer__MMColParam
rsCustomer__MMColParam = "0"
if (Session("MM_Username") <> "") then rsCustomer__MMColParam = Session("MM_Username")
%>
<%
set rsCustomer = Server.CreateObject("ADODB.Recordset")
rsCustomer.ActiveConnection = MM_storeSQL_STRING
rsCustomer.Source = "SELECT * FROM dbo.Customers WHERE CustomerEmail='" + Replace(rsCustomer__MMColParam, "'", "''") + "'"
rsCustomer.CursorType = 0
rsCustomer.CursorLocation = 2
rsCustomer.LockType = 1
rsCustomer.Open()
rsCustomer_numRows = 0
%>

I made those changes and now it does not matter what you change in the URL address bar it still shows only the session customer details or orders.

Anything to improve this code?
Reply With Quote
  #4 (permalink)  
Old September 7th, 2003, 04:48 AM
Imar's Avatar
Wrox Author
Points: 72,055, Level: 100
Points: 72,055, Level: 100 Points: 72,055, Level: 100 Points: 72,055, Level: 100
Activity: 100%
Activity: 100% Activity: 100% Activity: 100%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,086
Thanks: 80
Thanked 1,587 Times in 1,563 Posts
Default

Hi Lucian,

Where was the original parameter from the QueryString used? I don't see any of that in your code, so I don't know exactly what went wrong.

The basic idea is that your WHERE clause uses at least two filters: a CustomerID from the Session object, and something from the QueryString, although I don't know what you are using the second parameter for. So use something like this:

WHERE SomeColumn = 'SomeValue' AND SomeOtherColumn = 'SomeOtherValue'

What exactly do you want to show to your visitors? What are they allowed to see and what not? On what parameters do you base this decision?


Imar


---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
Reply With Quote
  #5 (permalink)  
Old September 7th, 2003, 06:32 AM
Authorized User
 
Join Date: Jun 2003
Location: Dublin, , Ireland.
Posts: 65
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I'll tell you what happened.
Ignore the first post as the second is the one I am using at the moment.

The query is on my ssl part of the website were customers has the capabilities of checking the order status and also be able to modify they details as shipping/billing address.
Thay can only view the details, after they are loged in by going to My Account.

I have few asp pages that keeps track of what the user is doing on the website based on IP logging and I noticed that one smart ass, by changing the CustomerID in the addres bar(URL) could actually see those details as well. I wasn't expecting that from a program as Macromedia (doesn't come cheap) and never been bother to check it out myself.
I was looking at the code for "Restrict Access To Page" and I noticed that is not a big deal but actually never checked it out myself to see if you could see any orders based on changing the url.

I've had everything based on CustomerID & OrderID query in the RS but I've changed it to session("MM_UserName") and it seems fine at the moment, but I am still worried about it.
Reply With Quote
  #6 (permalink)  
Old September 7th, 2003, 12:21 PM
Imar's Avatar
Wrox Author
Points: 72,055, Level: 100
Points: 72,055, Level: 100 Points: 72,055, Level: 100 Points: 72,055, Level: 100
Activity: 100%
Activity: 100% Activity: 100% Activity: 100%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,086
Thanks: 80
Thanked 1,587 Times in 1,563 Posts
Default

Hi Lucian,

I don't think you can blame Dreamweaver for this. The Server Behaviors that Dreamweaver supplies deal with Authentication (whether a user is allowed to log in using valid credentials like a username and password or not), while what you are dealing with right now is about Authorization (what a user can see / do and cannot see / do once they are logged in).

Authorization is very application specific, so it's almost impossible to create Dreamweaver Server Behaviors that accommodate all possible generic situations. (You can find Dreamweaver Extensions that deal with specific authorization issues, like Shopping Carts at the Dreamweaver Extension site.)

By using Session variables, you have created a pretty secure solution. Once a user logs in, you store their User ID / Name in a Session variable and use that throughout your site. Users have no direct access to the Session variable, so it's impossible for them to change the value you have saved in that variable.

Passing sensitive information like User IDs, passwords etc through the querystring is never a good idea. Storing them in Session variables is a much more secure solution.

If your code using Session variables works fine, you shouldn't be worried. If it doesn't work, please tell me what's wrong, post some code and I'll take a look at it.

Regards,

Imar


---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How I can restrict desktop user to access some res anjanmaity General .NET 1 June 27th, 2008 01:40 PM
how can i restrict the acessing except login page. ramana123 ASP.NET 1.0 and 1.1 Basics 0 August 17th, 2005 12:10 AM
Using Windows Login to Verify User Access dasschmidthaus Pro VB.NET 2002/2003 14 February 1st, 2005 03:21 PM
Forms: Restrict user selection - How? cdplayer Classic ASP Basics 2 February 29th, 2004 03:37 AM



All times are GMT -4. The time now is 11:28 AM.


Powered by vBulletin®
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.