Solved

ASP Password Protection

Posted on 1998-07-26
32
214 Views
Last Modified: 2013-12-25
I need to protect a series of pages. I intend to use a simple two field Access database, login page and "include file" for each page - maintaining the sessions with cookies. I need to operate within Frontpage.
I am unable to find an example which I can make work (or understand).
Please can someone sort me out?
0
Comment
Question by:englishman
  • 19
  • 13
32 Comments
 
LVL 2

Author Comment

by:englishman
ID: 1858680
Edited text of question
0
 
LVL 28

Accepted Solution

by:
sybe earned 100 total points
ID: 1858681
The way I do this is:

Apart from the database I have created 2 files:
1. login.asp
2. secure.inc

I have put them in a special directory.

In each file that I want to protect, I include the secure.inc right at the start, before anything else.

==============

The files do the following:

secure.inc

It sets some sessionvariables:
- Session("Loginpage") = "/path/login.asp" (the url of login.asp)
- Session("Startpage") = Request.ServerVariables("PATH_INFO") (the url of the current page)


checks if there is a sessionvariable Session("secure") set to "True".
If yes, then nothing happens and the page is shown.
If no, then it checks if the the previous page was "login.asp"
  if yes, it checks the database if the username/password are correct.
    if yes it sets Session("secure") to True and it shows the page
    if no it redirects to login.asp
  if no it redirects to login.asp
end if


login.asp asks for username/password and submits the form to Session("Startpage")



0
 
LVL 2

Author Comment

by:englishman
ID: 1858682
Please, can you post the code?
0
 
LVL 28

Expert Comment

by:sybe
ID: 1858683
login.asp:
====================================
<form action="<%= Session("Startpage") %>" method=POST>
<table>
<tr>
      <td>username:</td><td><input type=text name=user></td>
</tr><tr>
      <td>password:</td><td><input type=password name=pass></td>
</tr><tr>
      <td>&nbsp;</td><td align=right><input type=reset value=" cancel ">&nbsp;<input type=submit value=" ok "></td>
</tr>
</table>
<input type=hidden name=secure value="securelogin">
</form>
=====================================
secure.inc
=====================================
<%              
Session("Loginpage") = "/path/login.asp"
Session("Startpage") = Request.ServerVariables("PATH_INFO")

If Request.Form("secure") <> "" Then
      Set Conn_secure = Server.CreateObject("ADODB.Connection")
      Conn_secure.ConnectionTimeout = 5
      Conn_secure.CommandTimeout = 5
      Conn_secure.Open "DSN=" & Secure_ODBC

      strSQL = "SELECT * FROM Login WHERE username='" & Request.Form("user") & "'"
      Set RS_secure = Conn_secure.Execute(strSQL)

      Do
      If Session("secure") Then Exit Do
      If RS_secure.EOF Then Exit Do
            If RS_secure("password") =  Request.Form("pass") Then
                  Session("user") = RS_secure("username")
                  Session(Session("secure") = "True"
            End If
      RS_secure.MoveNext
      Loop
      RS_secure.Close

End If



If NOT Session(Session("secure") Then
      Response.Redirect(Session("Loginpage"))
End If
%>



0
 
LVL 2

Author Comment

by:englishman
ID: 1858684
Please bear with me through my ignorance, (I am a beginner in code).
I'm sure what I'm doing wrong is very simple.
Here is the situation:


My login.asp is excactly as you suggest.

My secure .inc is in the same, executable directory and is the same as you said except for line 8:
you said "     Conn_secure.Open "DSN=" & Secure_ODBC "
mine says"     Conn_secure.Open "DSN=login" & Secure_ODBC "
(Is this right, i've tried both but it didn't seem to help)
This is the ONLY difference.

Q - are the unclosed brackets on lines 16 and 22 :
"Session(Session..."   supposed to be like that?

Should anything be changed in this file?

My database ("login") has the DSN "login" with one table "login" - just to be on the safe side. The table has two fields ("username" and "password"). I have entered one name and password.

I have a welcome page (welcome.htm) also in the same directory which simply says hello etc and at the top has:
<!--#include file="secure.inc"--> before <html>.

When I go to login.asp I get a form and whatever I put in the fields gives a cookie "warning" and simply reloads itself. No cookie appears in my windows\cookies folder.

When I go to secure.inc I simply see the code.

When I go to welcome.htm I just see what you would expect from html and when I view the source I also see "<!--#include file="secure.inc"-->".

Qs:
How does login.asp target the next page to go to?
Is "<!--#include file="secure.inc"-->" correct?
Where do I specify the table in the login database (if at all)?


Regards,
NM
0
 
LVL 28

Expert Comment

by:sybe
ID: 1858685
Sorry, i edited some working code and copied it, but i missed something in editing:

Conn_secure.Open "DSN=" & Secure_ODBC

Should be:

Conn_secure.Open "DSN=secure_ODBC_NAME"

in which secure_ODBC_name refers to the name of the ODBC connection of the database you want to use. In your case "login".


Session(Session("secure")
in the 2 lines you mentioned should be:
Session("secure")


Concerning the cookies: as this methos uses sessionvariables, your browser has to accept cookies, otherwise it won't work.
ASP session variables need cookies to work (i could explain you why if you really want to know).


Concerning the use of includes in html, you will have to rename the file to ".stm". This is because the extension ".htm" does not support server side include. Or you have to instruct IIS to accept the extension .htm as SSI (which needs some editing of the registry for IIS3 and some other editing in IIS4).

".asp" accepts includes without problem.
I thought you were only using .asp, so I did not give any instructions for this.

The table in the login database is specified in the sql-statement:

strSQL = "SELECT * FROM tablename WHERE username='" & Request.Form("user") & "'"

I think I answered all your questions, if you need more, then just ask.

sybe


0
 
LVL 2

Author Comment

by:englishman
ID: 1858686
Sybe,
I can tell it's getting closer. However...

As things stand, when I go to the welcome page, the included secure.inc sends me to login.asp. Whatever I put in the form, login.asp simply reloads. I get no further than this though the database contains a name and password and the DSN is OK.

Two (maybe relevant questions) questions:
Do I need to change "PATH_INFO" to a value in line 3 of secure.inc?
How does the browser know where to go from login.asp?


Directory structure:

Root
|
|
|--login--login.asp
|       --secure.inc
|
|
|
|--members--welcome.asp


welcome.asp includes:

<!--#include file="../login/secure.inc"-->
<html>


login.asp includes:

<body>

<form action="<%=Session("Startpage")%>" method="POST">
  <input type="hidden" name="secure" value="securelogin"><table>
    <tr>
      <td>username:</td>
      <td><input type="text" name="user" size="20"></td>
    </tr>
    <tr>
      <td>password:</td>
      <td><input type="password" name="pass" size="20"></td>
    </tr>
etc...


secure.inc is:

<%
Session("Loginpage") = "../login/login.asp"
Session("Startpage") = Request.ServerVariables("PATH_INFO")

If Request.Form("secure") <> "" Then
Set Conn_secure = Server.CreateObject("ADODB.Connection")
Conn_secure.ConnectionTimeout = 5
Conn_secure.CommandTimeout = 5
Conn_secure.Open "DSN=login"

strSQL = "SELECT * FROM login WHERE username='" & Request.Form("user") & "'"
Set RS_secure = Conn_secure.Execute(strSQL)

Do
If Session("secure") Then Exit Do
If RS_secure.EOF Then Exit Do
If RS_secure("password") =Request.Form("pass") Then
Session("user") = RS_secure("username")
Session("secure") = "True"
End If
RS_secure.MoveNext
Loop
RS_secure.Close

End If



If NOT Session("secure") Then
Response.Redirect(Session("Loginpage"))
End If
%>


0
 
LVL 28

Expert Comment

by:sybe
ID: 1858687
Ok, then it's time for debugging, finding out where things go wrong.

First let me answer your question.
1. No don't change the "PATH_INFO" thing. The trick is the login.asp will submit the form to the page where it was called from. So it will work from every page in your site. If people don't go to the welcome page first, but to another one, that is possible (but they still have to login first). When they have passed the login, they will go to the page they asked for in the first place.

2. See 1.

====


1.

Ok, let's find out where it goes wrong. Somehow the value of Session("secure") is not set to "True".

But i'd like to know the value of it.

Change:
If NOT Session("secure") Then
  Response.Redirect(Session("Loginpage"))
End If

to:

If NOT Session("secure") Then
  Response.write "Session(""secure"") = " & Session("secure")
  Response.Redirect(Session("Loginpage"))
End If

This will display the value of Session("secure") and give you an error message.


2.

Add some code to this:

Do
  If Session("secure") Then Exit Do
  If RS_secure.EOF Then Exit Do
  If RS_secure("password") =Request.Form("pass") Then
    Session("user") = RS_secure("username")
    Session("secure") = "True"
  End If
  RS_secure.MoveNext
Loop
RS_secure.Close


:::

Do
  Response.write "username = " & RS_secure("username") & " password = " & RS_secure("password") & "<br>"
  If Session("secure") Then Exit Do
  If RS_secure.EOF Then Exit Do
  If RS_secure("password") =Request.Form("pass") Then
    Session("user") = RS_secure("username")
    Session("secure") = "True"
  End If
  RS_secure.MoveNext
Loop
RS_secure.Close

This will show all records in the database with the right username.

3.

Change

strSQL = "SELECT * FROM login WHERE username='" & Request.Form("user") & "'"
Set RS_secure = Conn_secure.Execute(strSQL)

to:

strSQL = "SELECT * FROM login WHERE username='" & Request.Form("user") & "'"
Response.write strSQL & "<br>"
Set RS_secure = Conn_secure.Execute(strSQL)


==============

If you show me the output, I know better where it goes wrong.



0
 
LVL 2

Author Comment

by:englishman
ID: 1858688
After 1) I get the following message:

Session("secure") =

Response object error 'ASP 0156'

Header Error

/OFFINT/members/../login/secure.inc, line 28

The HTTP headers are already written to the client browser. Any HTTP header modifications must be made before writing page content.


Adding 2) made no difference to the error message (I simply tagged it on at  the end) - I'm not sure if this is what you meant.


Having reversed changes 1) and 2), adding 3) returned the original problem of login.asp just reloading.

NM
0
 
LVL 28

Expert Comment

by:sybe
ID: 1858689
ok, that means that the session variable is not set in the do-loop. Now it's time to check what the do-loop is doing.

with change 2, I meant that you should add one line of code to the Do-loop. That line is:

Response.write "username = " & RS_secure("username") & " password = " & RS_secure("password") & "<br>"

It should NOT be at the end, but this line should be placed in the do-loop, right after "Do". See above if you aree not sure.


0
 
LVL 2

Author Comment

by:englishman
ID: 1858690
Stupid me,..
adding the line of code 2) makes no difference whether or not 1) has been done. It gives no extra output.
3) also makes no difference

NM
0
 
LVL 2

Author Comment

by:englishman
ID: 1858691
I meant to say that adding 2) makes no difference to the output.

I don't know if this is useful but if I change line 6 from:
If Request.Form("secure") <> "" Then
to:
If Request.Form("secure") <> "x" Then

I get the following error:

ADODB.Field error '800a0bcd'

No current record.

/OFFINT/members/../login/secure.inc, line 16

Regards,
NM
0
 
LVL 28

Expert Comment

by:sybe
ID: 1858692
The change:
strSQL = "SELECT * FROM login WHERE username='" & Request.Form("user") & "'"
Set RS_secure = Conn_secure.Execute(strSQL)

to:
Response.write "login name=" & Request.Form("user") & " password=" & Request.Form("pass") & "<p>"
strSQL = "SELECT * FROM login"
Set RS_secure = Conn_secure.Execute(strSQL)

It will show the used username/password, followed by all users from the database. See if there is a combination that fits.
The error you get suggests that there is no user in the database with the username that is checked.

Check also if the names of the formfield correspond with the names of the formfields in secure.inc

Request.form("username") supposes a formfield named "username" in the previous page.


0
 
LVL 2

Author Comment

by:englishman
ID: 1858693
I afraid to say the changes still make no difference, I can get no output from the database as you suggestted in 2 and 3).
My DSN is right, form field names match, directories executable, database has 2 fields correctly named and filled in. I have fiddled and fiddled and am close to my wit's end. Please take the time to check once more, I'm sure there must be something missing in secure.inc.

Also is:
<form action="<%= Session("Startpage")%>" method="POST">
  <input type="hidden" name="secure" value="securelogin"><table>
in login.asp correct.

Regards,
NM
0
 
LVL 2

Author Comment

by:englishman
ID: 1858694
For what it's worth, a mate of mine reckons it's not entering the do-loop.
NM
0
 
LVL 28

Expert Comment

by:sybe
ID: 1858695
So try to get the username/passwords from your database, see if this code works in a new page,
use only this code



<%
Set Conn_secure = Server.CreateObject("ADODB.Connection")
Conn_secure.ConnectionTimeout = 5
Conn_secure.CommandTimeout = 5
Conn_secure.Open "DSN=login"


strSQL = "SELECT * FROM login"
Set RS_secure = Conn_secure.Execute(strSQL)

While Not RS_secure.EOF
  Response.write "username = " & RS_secure("username") & " password = " & RS_secure("password") & "<br>"
RS_secure.MoveNext
Loop
RS_secure.Close
%>

and see if you get any output


0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 2

Author Comment

by:englishman
ID: 1858696
Microsoft VBScript compilation error '800a040e'

'loop' without 'do'

/members/new_page_2.asp, line 15

Loop
^

where shall I put the Do?
0
 
LVL 2

Author Comment

by:englishman
ID: 1858697
OK
Do WHILE ....

this pulls the records from the database, it works
NM
0
 
LVL 28

Expert Comment

by:sybe
ID: 1858698
Now try to submit the login.asp to this page
by changing the form-definition in the login.asp to
<form action="this_new_asp.asp" action="POST">


and change the code in this_new_asp.asp from

strSQL = "SELECT * FROM login"

to

strSQL = "SELECT * FROM login WHERE username='" & Request.Form("user") & "'"

See what that gives

 
0
 
LVL 28

Expert Comment

by:sybe
ID: 1858699
just trying to find where it goes wrong, so starting at a point from where it still works, and then step by step go to the full application.
0
 
LVL 2

Author Comment

by:englishman
ID: 1858700
That's fine - if I enter nothing in, the new page returns an empty page.
If I enter the name it returns the name and password.
If I enter the name and password, it returns the name and password.

0
 
LVL 28

Expert Comment

by:sybe
ID: 1858701
Ok, that's good.

Now, edit secure.inc:

Make the Do-Loop like this:

Do While Not RS_secure.EOF
  'Response.write "username = " & RS_secure("username") & " password = " & RS_secure("password") & "<br>"
  If RS_secure("password") =Request.Form("pass") Then
    Session("user") = RS_secure("username")
    Session("secure") = "True"
  End If
RS_secure.MoveNext
Loop
RS_secure.Close

and in login.asp change the <form action=...> back to what it was:

<form action="<%= Session("Startpage") %>" method=POST>

See what it does

0
 
LVL 2

Author Comment

by:englishman
ID: 1858702
Back to the problem of login.asp reloading.

0
 
LVL 28

Expert Comment

by:sybe
ID: 1858703
Does your browser support cookies ?? It should !

I have it working with this code

login.asp:

==========================

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html>

<head>
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1">
<title>Login</title>
</head>

<body bgcolor="#FFFFFF" link="#004400" vlink="#004400" alink="#004400">



<form action="<%= Session("Startpage") %>" method=POST>
<table>
<tr>
      <td>username:</td><td><input type=text name=user></td>
</tr><tr>
      <td>password:</td><td><input type=password name=pass></td>
</tr><tr>
      <td>&nbsp;</td><td align=right><input type=reset value=" cancel ">&nbsp;<input type=submit value=" ok "></td>
</tr>
</table>
<input type=hidden name=secure value="securelogin">
</form>


</body>
</html>

==============================
secure.inc
==============================

<%              
Session("Loginpage") = "/asp/securetest/secure/login.asp"
Session("Startpage") = Request.ServerVariables("PATH_INFO")

If Request.Form("secure") <> "" Then
      Set Conn_secure = Server.CreateObject("ADODB.Connection")
      Conn_secure.ConnectionTimeout = 5
      Conn_secure.CommandTimeout = 5
      Conn_secure.Open "DSN=Sybe_Secure"

      strSQL = "SELECT * FROM Login WHERE username='" & Request.Form("user") & "'"
      Set RS_secure = Conn_secure.Execute(strSQL)

      Do
      If Session("secure") Then Exit Do
      If RS_secure.EOF Then Exit Do
            If RS_secure("password") =  Request.Form("pass") Then
                  Session("user") = RS_secure("username")
                  Session("secure") = "True"
            End If
      RS_secure.MoveNext
      Loop
      RS_secure.Close

End If

If NOT Session("secure") Then
      Response.Redirect(Session("Loginpage"))
End If
%>

============================

Database: Acces
Table: "login"
Fields:
   ID - autonumber
   username - text
   password - text

======================
ODBC-connection to this database named Sybe_Secure

======================

I don't know where it goes wrong with you. I can only think of the cookie now.




0
 
LVL 2

Author Comment

by:englishman
ID: 1858704
Mine is the same exactly except:

secure.inc, line 2:
Session("Loginpage") = "/offint/members/login/login.asp"

/offint/members/login/login.asp is the path from the web root.

secure.inc is in the same directory as login.asp.

one directory higher (in "members") is welcome.asp which begins with:
<!--#include file="login/secure.inc"-->

Visiting welcome.asp calls up secure.inc which sends you to login.asp. Filling this in correctly should take you back to (and display) welcome.inc.

Is this all correct?
0
 
LVL 2

Author Comment

by:englishman
ID: 1858705
Correction:
Visiting welcome.asp calls up secure.inc which sends you to login.asp. Filling this in correctly should take you back to (and display) welcome.asp.
0
 
LVL 28

Expert Comment

by:sybe
ID: 1858706
Yes.

If also the ODBC connection is correct it should work.
Remember the cookie-thing: you have to accept them.

Does it work ??
0
 
LVL 2

Author Comment

by:englishman
ID: 1858707
Cookies are enabled and I get a cookie warning with the "warn before accepting cookies" turned on in the (MS Iexplorer 3.2) options.
Cookie name is : ASPSESSIONID

0
 
LVL 2

Author Comment

by:englishman
ID: 1858708
cookie path is: /offint/members/login
0
 
LVL 2

Author Comment

by:englishman
ID: 1858709
cookie path is: /offint/members/login
0
 
LVL 2

Author Comment

by:englishman
ID: 1858710
It works!
Your'e a star.
The problem I think was a mixture of cache and network settings, though that may sound strange. Also when I saw the cookie path didn't lead to the welcome page I moved the files around a bit. In fact I think that may have been it.
At one stage I was thrown two cookies instead of one.
When I set it up at home I should know better what the problem was and will email you if I can repeat it.
For now down the pub to celebrate.
Thankyou very much again for everything, hopefully you won't avoid answering any future queries I may have.

NM
0
 
LVL 28

Expert Comment

by:sybe
ID: 1858711
Wow, I am glad you got it working.

I did not meet the cookie problem before, let me know how you got it if you find out.
Have a good drink !
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Popularity Can Be Measured Sometimes we deal with questions of popularity, and we need a way to collect opinions from our clients.  This article shows a simple teaching example of how we might elect a favorite color by letting our clients vote for …
Problem to be resolved in this article Currently, development of website and web application can be done without writing thousands of lines of programming code by hand. Description This can be done through by using a open source framework such …
This tutorial demonstrates how to identify and create boundary or building outlines in Google Maps. In this example, I outline the boundaries of an enclosed skatepark within a community park.  Login to your Google Account, then  Google for "Google M…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now