Why there is no End if in the code?
Main Topics
Browse All Topics
Loading Advertisement...
Question
Access, FrontPage, DRW and Cookies
Hello All!
I guess this question is more for Ward Cameron since I got the cookie script from his frontpagemagic.com site...but if anyone has an easy solution by all means!! By the way Ward, thank you for making such a page it has been very, very helpful.
OK the question (dilemma really) is that we are creating a webpage that limits information with the userid cookie script that Ward provided. Our site allows certain property owners to view their own property's information and not another owner's properties or info. Thus far it has worked very well. BUT we are finding that by using the following cookie code...
<%
If Request.Cookies("Login")("
If Request("UserID")="" Then Response.Redirect _
Request.ServerVariables("S
If Request.Cookies("Login")("
Response.Redirect "login.asp"
%>
...on a page that has a form with a dropdown menu, it prevents us from displaying certain data on a following page while the same code is still present. We have tried several ways to pass parameters, etc. (and have triple-checked that all the queries contain the criteria that is being posted to the page) BUT we have only found that by removing the cookie code, for that page only, it will allow for data from our database (MS Access) to be displayed using DRW.
There must be some easy solution, because other sites are doing it. Our real concern is that we don't want hackers to view data on the unprotected pages that they are not entitled to view, obviously. The good news is that no one can't get to the page containing information without having logged in properly and viewed information that is owner specific...however once they are on this page in particular, they can change the string of code in the address bar and view information that they are not entitled to see.
Can you help? I hope what I wrote makes sense...
Thanks!
John
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Subscribe now for full access to Experts Exchange and get
Instant Access to this Solution
- Plus...
- 30 Day FREE access, no risk, no obligation
- Collaborate with the world's top tech experts
- Unlimited access to our exclusive solution database
- Never be left without tech help again
Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.
- "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
- "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
- "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.
See what Experts Exchange can do for you.
Got a question?
We've got the answer.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
Need individual assistance?
Our experts are ready to help.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Want to learn from the best?
Read articles from industry experts.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Working on a long term project?
Store your work and research.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
What Makes Experts Exchange Unique?
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Trusted by the world's most respected brands.
Faithfully serving IT professionals since 1996.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Free Tech Articles
-
WARNING: 5 Reasons why you should NEVER fix a computer for free.
It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
-
SCCM OSD Basic troubleshooting
SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
-
Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
-
Create a Win7 Gadget
This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
-
Outlook continually prompting for username and password
There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
-
Backup Exchange 2010 Information Store using Windows Backup
There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...
Cloud Class Webinars
- Avoiding Bugs in Microsoft Access
Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
- Top 10 Best New Features in Visio 2010
Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
- IT Consultant Business Secrets Revealed
Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
- Disaster Recovery and Business Continuity
Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
- Organize Your Visio Diagrams with Containers and Lists
Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
- How to Us Objects, Properties, Events and Methods in Microsoft Access
Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...
Join the Community
Give a Little. Get a Lot.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Answers
Hi,
Did you try to put End If ?
<%
If Request.Cookies("Login")("
End if
If Request("UserID")="" Then Response.Redirect _
Request.ServerVariables("S
End if
If Request.Cookies("Login")("
Response.Redirect "login.asp"
End if
%>
Try that, then we'll see what could be the problem. Let us eliminate all suspicions one by one.
hhammash
Hi,
Ok,
If the login is successful where is the user sent, to which page? Does that other page verify the login?
If yes try:
<%
If Request.Cookies("Login")("
else
response.redirect "theotherpage.asp"
End if
If Request("UserID")="" Then Response.Redirect _
Request.ServerVariables("S
else
response.redirect "theotherpage.asp"
End if
If Request.Cookies("Login")("
Response.Redirect "login.asp"
else
response.redirect "theotherpage.asp"
End if
%>
Regards
hhammash
Hi HHammash,
thanks for the new code, I tried it out, but it's still not displaying the page, unfortunately.
Here's what happens, we have a navigation page called dash.asp...in order to get to that page, you need to get through the login page. Once a user is on the dash.asp page he/she can navigate to other pages. So for this example we'll say a user wants to look at the event calendar in our database. So they would click on the calendar button to take them to calendar.asp.
Now here's where it get's to be a problem......the calendar.asp page allows you to select events (dropdown menu) from a set of dates that exist in the database. This page is also protected with the cookie script....
<%
If Request.Cookies("Login")("
If Request("UserID")="" Then Response.Redirect _
Request.ServerVariables("S
If Request.Cookies("Login")("
Response.Redirect "login.asp"
%>
...which works fine. However, when a user selects a date from the dropdown and hits submit, that info gets posted to the next page called calendar_detail.asp. This page, for some reason will not display any information with the above script present in the code. It simply comes up in error with the browser default "Page Cannot Be Displayed" message. Once the code is removed (the page is now unprotected) it will display the information. This isn't terrible as you can't even get to this page without knowing it exists in the first place and having the exact address, and even still, if you went directly there, it will not display database information, but just show a blank page. However, I'd like to be able to avoid people using wildcards to get in the database to snoop around.
I just don't get it...the answer must be something simple, but I'm not a code expert, so it makes it that much harder for to try and figure it out...
Thanks for all your help so far!
John
Hey John. Thanks for the kind words about www.FrontPageMagic.com. I'm not sure what the problem is either. As you know from my site, I'm not a coder either. I've tacked the tutorials together through trial and error and a great deal of help from people like hhamash who actually know what they are doing in the html pane of FP.
When I have problems with some of my coded pages I try posting to a file called requestsniffer.asp. What it does is display all of the data being passed to the page so that you can see if the correct parameters are being passed. Also, in Internet Explorer go to Internet Options-Advanced options and deselect the Show Friendly HTTP Error Messages. This will often give you a more detailed error message instead of the cryptic Page Cannot Be Displayed error. Here is the code for RequestSniffer.asp. Just copy it into a blank page in html view. Set your calendar page to send to this page rather than calendar_details.asp. It may help to track down the error cause.
<%@ Language=VBScript %>
<HTML><HEAD>
<META NAME="GENERATOR" Content="Microsoft Visual Studio 6.0">
<link rel="stylesheet" type="text/css" href="../../../CSS/Ward.cs
</HEAD>
<BODY>
<H3>Request Sniffer</H3><hr>
<%
' /////// Decide whether to reap data from QueryString or Form collection
If Request.QueryString <> "" Then
call ShowQueryString
ElseIf Request.Form <> "" then
Call ShowForm
Else
Response.Write "Both the QueryString and Forms collection are empty"
End If
' //////// Call this if data is in Form collection
Sub ShowForm
Response.write "From Form collection - POST<BR>"
Response.Write "Total # of values = "
Response.Write Request.Form.Count & "<BR>"
Response.Write "Entire Form Collection as String: <BR>"
Response.Write Request.Form & "<BR><BR>"
Response.Write "<TABLE BORDER=1><tr>"
For Each MyItem in Request.Form
Response.Write "<TR><TD>"
Response.Write MyItem & "</TD><TD>"
Response.Write Request.Form(MyItem).Item
Response.Write "</TD></TR>"
Next
Response.Write "</TABLE>"
End Sub
' /////// Call this if data is in QueryString collection
Sub ShowQueryString
Response.Write "From QueryString collection - GET<BR>"
Response.Write "Total # of values = "
Response.Write Request.QueryString.Count & "<BR>"
Response.Write "Entire QueryString Collection as String: <BR>"
Response.Write Request.QueryString & "<BR><BR>"
Response.Write "<TABLE BORDER=1><TR>"
For Each MyItem in Request.QueryString
Response.Write "<TR><TD>"
Response.Write MyItem & "</TD><TD>"
Response.Write Request.QueryString(MyItem
Response.Write "</TD></TR>"
Next
Response.Write "</table>"
End sub
%>
</BODY>
</HTML>
On another note, I've started using the session-based version of the tutorial rather than the cookie based. The reason is based upon security. The UserID is stored as a cookie in plain text and so the site could be hacked if someone opened the cookie file and changed the value of the UserID in the cookie file. They cannot view a session variable in the same way and so it is more difficult to hack this version. I do use cookies to store other values that are not as confidential.
You can encrypt your cookie using some fancy formula but I have no idea how to accomplish this.
Hi Ward,
Thanks to you, I think I may be on to something here....maybe the question that I should be asking is how do I post the USERID to the next page...or do I even have to if it is in the cookie already....I guess I assumed that the cookie data is always present and that the cookie script just re-requests the info whenever the page contains the script. (??)
Your request sniffer (which is VERY COOL THANK YOU!!!) shows that I am only passing the values from the form...not including the USERID....which may be why the following page is getting confused...not really sure...
Any ideas???
Thanks for al the help so far....I think MAYBE I'm getting somewhere...
John
P.S. Oh, and thanks for the advice on using session id's...again I'm really "green" with this stuff, so I'm not sure it will work for us since we are using the USERID to separate what clients will see in our database...we are anticipating many new customers and we use the USERID field to limit access. Maybe you have some sugestions in that regard (?). Thanks again!
You don't need to post the UserId once the cookie has been set. The code checks to see if the cookie exists and then adds it to the end of the url. Check your cookie folder to make sure the cookie has been written.
Also make sure you turn off the friendly html messages as described in my last post. With these messages turned off you will get a more detailed error message that will tell you exactly what line of code is causing the error and what the real problem is.
In terms of sessions, they work exactly the same as cookies. Essentially a sesssion IS a type of cookie that only lasts for the current user session and is not saved to the hard disk (and therefore can't be hacked as easily). You'll see on the website I've set up two versions of the tutorial, one for sessions and the other for cookies.
3 Ways to Join
Business Accounts
- Perfect for organizations
- Multiple users
- Save over 36%
- Create a Business Account
Answer for Membership
- Earn free access
- Showcase your knowledge
- No credit card required
- Sign Up to Answer
Loading Advertisement...
by: hhammashPosted on 2004-05-13 at 16:00:05ID: 11064135
Hi,
Passing parameters in the address bar can be dangerous sometimes. It is better to put the parameters in session variables and pass them between pages, this way it will not appear on the address bar and the page will not be bookmarked.
hhammash