p2p.wrox.com Forums

p2p.wrox.com Forums (http://p2p.wrox.com/index.php)
-   BOOK: Beginning ASP 3.0 (http://p2p.wrox.com/forumdisplay.php?f=27)
-   -   Sessions and secure area problem (http://p2p.wrox.com/showthread.php?t=72463)

chris1012 January 29th, 2009 09:49 AM

Sessions and secure area problem
 
hey guys i was wondering if anyone could me with this basically i've made a database driven website using an access database but its not completely secure and i can't understand why basically when i type in the hyper link it it still gives me access to the admin area my codes posted below any help is greatly appreciated...

login.asp


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<TITLE> Coach To Go Login</TITLE>
<META NAME="Generator" CONTENT="Christopher Elshaw">
<META NAME="Author" CONTENT="">
<META NAME="Keywords" CONTENT="Christopher Elshaw">
<META NAME="Description" CONTENT="Coach To Go Company">
<link rel="stylesheet" href="..\CSS\CSS.css" type="text/css" />
<script language="JavaScript" type="text/javascript">
function validate()
{
lf=document.logger
un=lf.username.value
pw=lf.password.value
submitOK="True"
if (un.length <5) {
alert("the username you provided is not valid")
submitOK="False" // set to false
}
if (pw.length <7) // code is less than 1 or greater than 5
{
alert("please enter a password between 6 and 12 characters")
submitOK="False"
}
if (submitOK=="False") // if any test fails then return a boolean false
{
return false
}
}
</script>
</HEAD>
<body>
<div id="container">
<!--.................................................. ...logo = banner............................................ ...........................!-->
<div id="logo">
<img src="../images/ctg.gif" width="1200" height="250" />
</div>
<!--.................................................. ..Navigation section........................................... ..........................!-->
<div id="toplinks" >
<table>
<tr>
<td>
<A HREF="Home.asp">Home</A> &nbsp &nbsp &nbsp
</td>
<td>
<A HREF="Login.asp">Login</A> &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
</td>
<td>
<A HREF="Search.asp"">Search Holidays</A> &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
</td>
<td>
<A HREF="Help.asp">Help!!!</A> &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
</td>
<td>
<A HREF="Contact.asp">Contact Details</A> &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
</td>
<td>
<A HREF="Feedback.asp">Company Feedback</A>
</td>
</tr>
</table>
</div>
<!--.................................................. ..header.......................................... .......................................!-->
<div id="header">
<br />
<b> <u>Coach To Go Login Service</b> </u>
<br />
<br />
</div>
<!--.................................................. ..intro........................................... ......................................!-->
<div id="intro">
<br />
Welcome to the Coach To Go Login area, this area will provide you with the necessary access
<br />
for both customer and administrators of the Coach To Go Company
<br />
<br />
</div>
<!--...............................................mai n site content........................................... ..................................!-->
<div id="content">
<table width="1020px">
<tr>
<td width="50%">
<br />
&nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
Please enter your username and password below to get
<br />
&nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
access to your Coach To Go account
<br />
<br />
<Form name="logger" id="form1" action="logon_process.asp" method="post" onsubmit="return validate()">
<!--Java Script Validation and bring data from database_!-->
&nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
Username:
&nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
<input id="u1" type="text" name="username" size="20" maxlength="15">*
<br />
&nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
Password:
&nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
<input id="p1" type="password" name="password" size="20" maxlength="12">*
&nbsp &nbsp &nbsp
<input type="submit" value="Login" id="loginbut"/>
</form>
</td>
<td width="50%" height="0%">
If you would like to use the Coach To Go system
<br />
please click the register button displayed below
<br />
&nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
<form method="LINK" Action="Register.asp">
<input type="submit" value="Register with Coach To Go">
</form>
</td>
</tr>
</table>
</div>
<!--.................................................. ...Footer......................................... ..........................................!-->
<div id="Footer">
(C) Coach To Go LTD <%response.write(date())%>.
</div>
</div>
</body>
</html>


loginerror.asp

<%@LANGUAGE=VBScript%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>* FAILED LOGON ATTEMPT *</title>
<meta name="Generator" content="Login Error" />
<meta name="Author" content="Christopher Elshaw" />
<meta name="Keywords" content="Login Error" />
<meta name="Description" content="This page displays a login error" />
<!-- return to login after 5 seconds!-->
<meta http-equiv="refresh" content="5;URL=Login.asp">
<link rel="stylesheet" href="..\CSS\CSS.css" type="text/css" />
</head>
<body>
<div id="container">
<!--.................................................. ...Header = banner............................................ ...........................!-->
<div id="logo">
<img src="../images/ctg.gif" width="1200" height="250" />
</div>
<!--.................................................. ...Navigation Links............................................. ..........................!-->
<div id="toplinks" >
<A HREF="Home.asp">Home</A> &nbsp &nbsp &nbsp
<A HREF="Login.asp">Login</A> &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
<A HREF="Search.asp"">Search Holidays</A> &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
<A HREF="Help.asp">Help!!!</A> &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
<A HREF="Contact.asp">Contact Details</A> &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp
<A HREF="Feedback.asp">Company Feedback</A>
</div>
<!--.................................................. ...Intro To the page.............................................. .........................!-->
<div id="intro">
Login Error
</div>
<!--.................................................. ...Content for the page.............................................. .........................!-->
<div id="content">
&nbsp &nbsp &nbsp &nbsp &nbsp &nbsp I'me sorry but the login details you provided where incorrect please try again
</div>
<!--.................................................. ...Footer for the page.............................................. .........................!-->
<div id="footer">
(C) Coach To Go LTD <%response.write(date())%>.
</div>
</body>
</html>

login_process.asp

<%@ Language=VBScript %>
<%
'user logon process script
'create a connection to the advanced data object db
Dim connection
Dim DesRs
set connection=server.CreateObject("adodb.connection")
connection.Provider="Microsoft.JET.OLEDB.4.0"
connection.Open Server.Mappath("..\database\CoachToGo.mdb")
'variable creates logon record set'
set LogonRs=server.CreateObject("adodb.recordset")
' send SQL string to for login validation'
LogonRs.Open "SELECT * from logon WHERE log_name='" & _
request("username") & "'" & " AND log_password='" & _
request("password") & "'",connection,adOpenKeyset,adLockOptimistic

' validate by value 1
If LogonRs.RecordCount=1 Then ' validated if 1 record found
' set session variable to be true (true for time user is logged in)
session("usr_accesslevel") = LogonRs("log_access")
session("usr_name") = LogonRs("log_realname")
session("usr_initials") = LogonRs("log_initials")
If session("usr_accesslevel")<3 Then
session("logadmin") = True
session ("loguser") = False
Response.Redirect("Adminmenu.asp")
Else
session("logadmin") = False
session ("loguser") = True
Response.Redirect("usermenu.asp")
End If
Else
' maintain "false" status
session("logadmin") = False
session ("loguser") = False
' inform user that attempt has been unsuccessful
Response.Redirect("Loginerror.asp")
End If
%>

session_stop.asp

<%@ Language=VBScript %>
<%
option Explicit
session("loggedin")=FALSE
Session.Contents.RemoveAll()
Session.Abandon
'return to log-in page
Response.redirect "sessiondirect.asp"
%>

session_direct.asp

<%@ Language=VBScript %>
<%
' check current session var for user and redirect
if session("loggedin")=FALSE Then
Response.Redirect("loginerror.asp")
else
Response.Redirect("adminmenu.asp")
end if
%>

what am i doing wrong what do i need?

dparsons January 30th, 2009 12:40 AM

I had to guess a little at the program flow but, my guess is, when you do this

asp Code:
if session("loggedin")=FALSE Then

in your Session_Direct page it is always dropping into the else because it doesnt look like you ever set a session variable named loggedin in the code you have provided.

Moving on this seems a little bit of a convoluted process that you have setup! What you are doing with 4 pages could proably be cleaned up a little. As far as logic goes, you really only need your LoginProcess page. Here is your code refactored a tiny bit:

asp Code:
Dim iAccessLevel
Dim blnLoggedIn
' validate by value 1
 
If Not LogonRs.EOF
     iAccessLevel = LogonRs("log_Access")
     '
If LogonRs.RecordCount=1 Then ' validated if 1 record found
           session("usr_accesslevel") = LogonRs("log_access")
           session("usr_name") = LogonRs("log_realname")
           session("usr_initials") = LogonRs("log_initials")
           blnLoggedIn = True
      '
Else
      '     This seems like a logic Error
      '
      session("logadmin") = False
      '      session ("loguser") = False
      '
End If
Else blnLoggedIn = false
End If
 
LogonRs.Close()
LogonRs = Nothing
 
If blnLoggedIn Then
  If CInt(LogonRS("log_access") < 3 Then
     session("logadmin") = True
     session ("loguser") = False
     Response.Redirect("Adminmenu.asp")
  Else
     session("logadmin") = False
     session ("loguser") = True
     Response.Redirect("usermenu.asp")
  End If
Else
     Response.Redirect("Loginerror.asp")
End If

and an include file:

asp Code:
<%
If Session("usr_name") = "" Then Response.Redirect("SomePage.asp")
%>


Ok. So the first snipped of code is your LoginProcess that I refactored a little bit and I tried to keep it as close to what you had as I could. First two variables:

Dim iAccessLevel
Dim blnLoggedIn

AccessLevel will tell you the AccessLevel of the current user and the LoggedIn variable will be a boolean value stating weather or not the user has logged in. Next I added a test for .EOF if this returns true it means that the RecordSet is empty and no data was returned from your database. It is because of this addition that I commented out the if inside the .EOF test since they tell you really the same thing. Next I set up your session variables for the logged in user and set blnLoggedIn to true. I then close the RecordSet object and set it to Nothing. Finally I have a nested if that evaluates where to send the user which is pretty self explanatory.

The next bit of code is code you shoudl drop into an include file. All it does is check to see if the value of a session variable is empty or not, if it is it redirects otherwise it does nothing. Since you are using an access Level variable, you will probably want to change this code to work off of that but, since i dont know your business logic, I am not of much use there.

Finally to glue this all together you would drop the include file onto your protected pages likes so:

<!--include file="SecurityGuard.inc" -->

Place this at the top of your protected page.

Two last things: the reason I broke the code out that resides inside the nested if is because you were redirecting the user before you had closed your ADO objects (RecordSet, Connect) and this is a very very bad practice. The long and the short of it is, unless you do this explicitly, you can run into memory leaks and application degradation is the end result which nobody wants. Second, do some reading up on SQL Injection and how to prevent it. Attacking the code that you have provided would prove trivial.

hth.
-Doug


All times are GMT -4. The time now is 04:03 PM.

Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.