checking code and adding security level

I want to create a connection to access file.
i created some asp files. the first i called authenticate.asp where
you enter your login name and password.
The validate.asp is the main file that contains the script and redirect you to other pages .
the code is here below:
 
<% Language=VBScript %>
<%Response.Buffer = true%>
<%Response.Expires = 0
Dim strLogin
Dim strPW
Dim objConn, strSQL, objRS as recordset
strLogin = Request.Form("login")
strPW = Request.Form("pw")            
Set objConn = Server.CreateObject("ADODB.Connection")      
Set db = DBEngine.Workspaces(0).OpenDatabase(app.path & "\users.mdb" )
'Set rs = Server.CreateObject("ADODB.Recordset")
'conn.open "DBQ="users.mdb" & ";Driver={Microsoft Access Driver (*.mdb)};"      
      sqltemp="select * from users WHERE login = '" & _
     strLogin  & "' AND Password = '" & _
     strPW  & "'"
            sqltemp=sqltemp & strLogin & "'"
            Set objRS=objConn.execute(sqltemp)
%>
<!-- If the login is not in the database, then attempt fails with msg -->      
<%If  objRS.eof then%>
   <font size = '2' face = 'arial'>There is no user with the Login: <font size = '3' face = 'arial'><strong>
  <%=strLogin%></strong></font> in our database.</font><br>   <font size = '1' face = 'arial'>Did you misstype your login? Try <font size = '2' face ='arial'><A href='notvalidated.asp'>not authorized</a></font>
   <%response.end
end if
<!---- End of login Check ----><!---- Beginning of PW Check --><!---- If PW found then attempt succeeds and gives details with msg -->
If  objRS("Password")=strPW and objRS("Login") = strLogin then
session("bolAuthenticated")= True  
session("name") = objRS("Login")  
session("securitylevel")=objRS("security_level")  
session("pw") = objRS("password")
response.write " You are logged in as " %> <%=session("name")%>
<br>

   <%Response.write "Security Level= " & session("securitylevel")
  Response.Write "<a href='download.asp'>" & "<br>" & "click here to access the admin screen" & "</a>"%>
  <%session("bolAuthenticated") = true
  else%>
<!--- If PW not found then attempt fails with msg -->
 <font size = '3' face='arial'color = 'red'><strong>Password Unrecognized</strong></font><br>
  <font size = '1' face = 'arial'>Did you misstype your Password? Try <font size = '2' face ='arial'><A href='notvalidated.asp'>wrong password</a></font>
  <%response.end
  end if
<!---- End of PW Check ---->
objRS.close
objConn.close
set objRS=nothing
set objConn=nothing
%>
<HTML>
<HEAD>
</HEAD>
<BODY>
</BODY>
</HTML>
in addition i have 3 degrees of security (i named it a,b,c in access) . now i have to write something like that :
IF  session ("securitylevel")=objRS ("A")
Response.redirect "/page1.asp
IF session ("securitylevel")=objRS ("B")
Response.redirect "/page2.asp
else
Response.redirect "/page3.asp
I know what i have to write but i don't know how to write it and where to put it in the script
thanks
dsmarketAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dsmarketAuthor Commented:
i forgot to mention that the code doesn't work altough i tried many times.
whats wrong in it?
0
bagi112599Commented:
Looks like you have to run 2 query:
1. to find out if there any user with
login as strLogin
2. if yes, to find out if password
for strLogin mtches with submitted
password strPW
So, change following your code

sqltemp="select * from users WHERE login = '" & _
     strLogin  & "' AND Password = '" & _
     strPW  & "'"
sqltemp=sqltemp & strLogin & "'"

into

sqltemp="select * from users WHERE login = '" & _
     strLogin  & "'"

and run a second query as:

sqltemp="select * from users WHERE login = '" & _
     strLogin  & "' AND Password = '" & _
     strPW  & "'"

Good luck




0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
md_harrisCommented:
This is the Authentication page I use (slightly modified) when ever I do a "Secure" site. It's Short and simple and works very well. The Login page submits to this page then is redirected either back to the login page in the case of a bad username/pw or to the main site in the case of a good username/pw. It also prevents multiple login attemps.


<%
'--- pagename: authenticate.asp
Dim rst
Dim strSQL
Dim dsn

dsn="dsn=whatever"

'------ Start a count for to keep track of multiple login attemps ---------
if session("count")>0 then
      session("count")=session("count")+1
else
      session("count")=1
end if

'---- create and open the rs with values form the login page text fields
Set rst = CreateObject("ADODB.Recordset")
strSQL = "SELECT password, Login, securelev  FROM  users WHERE ((Login='"& request.form("login") &" ') AND (password='" & request.form("pw") & "'));"

rst.Open strSQL, dsn

If rst.EOF AND rst.BOF then
      '------- No records returned so this user is not in the DB
      session("key")="bad"  '--set the key to an improper value just to be safe

      '--- He gets five chances to login then send him to the hampsterdance!!!!
      if session("count")>5 then response.redirect("http://www.hampsterdance.com/")      
      '-- if he didn't go to the hampsterdance set up the fail string
      Session("Message1")="Login Incorrect.  Please try again. "
      rst.Close
      set rst = nothing
      '--- send em back to the login page       
      Response.Redirect("Login.asp")      
Else
      '--- user is a valid user so set a unique key for him      
      session("key")="thekey" & session.sessionid
      session("count")=0
      session("securelev")=cstr(rst("securelev")) '--track the secure level through site
            '-- send them to the site
      if cstr(rst("securelev"))="A" then Response.Redirect("startpage1.asp")
      if cstr(rst("securelev"))="B" then Response.Redirect("startpage2.asp")
      if cstr(rst("securelev"))="C" then Response.Redirect("startpage3.asp")      
end if

rst.Close
set rst = nothing
%>


The following asp needs to be on every page in the "secure" area of the site to check the users "key":

<%
if session("key")<>"thekey" & session.sessionid then Response.Redirect("Login.asp")
%>

The following code need to be on the login.asp page to display the bad login message:

<%
response.write session("message1")
session("message1")=""  'clear the error message
%>
0
dsmarketAuthor Commented:
to md harris
i'm very sorry but it seemed that your code doesn't work. i get an error :
" Microsoft VBScript compilation error '800a0400'

Expected statement

/shalitd/authenticate.asp, line 4

\par Dim rst"
how can i fix it ?
thanks
0
md_harrisCommented:
dsmarket,

It Works fine for me. Are you sure that you cut/paste it correctly?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP

From novice to tech pro — start learning today.