Solved

security.asp

Posted on 2001-06-15
24
243 Views
Last Modified: 2011-10-03
i would like an include file which checks for session expiration and redirects to login page automatically.

something like this:
<%Response.AddHeader "Refresh",CStr(CInt(Session.Timeout + 1) * 60)
Response.AddHeader "cache-control", "private"
Response.AddHeader "Pragma","No-Cache"
Response.Buffer = TRUE
Response.Expires = 0
Response.ExpiresAbsolute = 0

If Session("UserId") = "" Then
     Session("RequestedURL") = "http://" & _
         Request.ServerVariables("SERVER_NAME") & _
          Request.ServerVariables("SCRIPT_NAME")

     Temp = Request.ServerVariables("QUERY_STRING")
     If (Not(ISNull(Temp)) AND Temp <> "") Then
          Session("RequestedURL") = Session("RequestedURL") & _
              "?" & Temp
     End If
     Response.Redirect("../default.asp")
End If
%>

but its not working.it should redirect automatically and not when the user tries to access a page.thanks a lot.
0
Comment
Question by:p_arsoor
  • 7
  • 6
  • 4
  • +4
24 Comments
 
LVL 7

Expert Comment

by:weesiong
Comment Utility
p_arsoor,

If Session("UserId") = "" Then
    Session("RequestedURL") = "http://" & _
        Request.ServerVariables("SERVER_NAME") & "/" &  _
         Request.ServerVariables("URL_HTTP")

   Response.Redirect("../default.asp")
End If

Regards,
Wee Siong
   
0
 
LVL 7

Expert Comment

by:weesiong
Comment Utility
Oh...
Sorry is

If Session("UserId") = "" Then
   Session("RequestedURL") = "http://" & _
       Request.ServerVariables("SERVER_NAME") & "/" &  _
        Request.ServerVariables("HTTP_URL")

  Response.Redirect("../default.asp")
End If

0
 
LVL 10

Expert Comment

by:makerp
Comment Utility
this is best done like this

when the user logs in sucessfully set a Session("user_name") variable to their username.

then at the start of each file just do

IF(Session("username") = "")THEN
   Response.Redirect("...... .asp")
   Response.End
END IF

when the seesion times out all sessions will be deleted therefore after the seesion timeout Session("username") will yeild ""

cool :)
0
 

Author Comment

by:p_arsoor
Comment Utility
makerp

 your script does not redirect automatically.it only redirects if the user tries to access the page again after the session expires.


weesiong

do i have to leave this part in my code or take it out.

<%Response.AddHeader "Refresh",CStr(CInt(Session.Timeout + 1) * 60)
Response.AddHeader "cache-control", "private"
Response.AddHeader "Pragma","No-Cache"
Response.Buffer = TRUE
Response.Expires = 0
Response.ExpiresAbsolute = 0


0
 
LVL 10

Expert Comment

by:makerp
Comment Utility
well what do you mean redirect automatically ?

IF(Session("username") = "")THEN
  Response.Redirect("login.asp")
  Response.End
ELSE
  Response.Redirect("other_page.asp")
END IF

0
 
LVL 10

Expert Comment

by:makerp
Comment Utility
if you put this code in an include then include it at the start of every file then if a user hits a page and has an username they will be allowed to see if if not they will be sent to the login.asp

<!--#include file="security.inc"-->
<%
' other asp code
%>
0
 
LVL 7

Expert Comment

by:weesiong
Comment Utility
p_arsoor,

No need, just need:

<%
Response.Expires = 0
If Session("UserId") = "" Then
  Session("RequestedURL") = "http://" & _
      Request.ServerVariables("SERVER_NAME") & "/" &  _
       Request.ServerVariables("HTTP_URL")

 Response.Redirect("../default.asp")
End If
%>

Regards,
Wee Siong
0
 

Author Comment

by:p_arsoor
Comment Utility
never mind makerp.
    you are not getting my point.if the user loggs in,does some work and goes for a coffee break.by the time he comes back the session would have expired.if he tries to resume his work,since the session expired,he will redirected to login page.

but if he does not do anything--that page will sit there for months.i was trying to redirect even if the user does not do anything.

THE PAGE SHOULD REDIRECT TO LOGIN PAGE AFTER 20 MINUTES OF INACTIVITY.thats whati meant by AUTOMATICALLY.

weesiong
actually my code works,i was not waiting for 20 minutes.now i tested it by shortening the session.timeout = 1 and it works.but thanks anyway.

have a good week end.
0
 
LVL 7

Expert Comment

by:weesiong
Comment Utility
p_arsoor,

no need 1 min, using

Session.Abandon 'to clear the session for logout

So you can close the question now, and using the ServerVariables() i show, it more short and easy :p

Regards,
Wee Siong
0
 

Author Comment

by:p_arsoor
Comment Utility
any one willing to give it a try?.my code refreshes the page after 21 minutes(CStr(CInt(Session.Timeout + 1) * 60)
)

thats is not a good thing.if the user is filling out a long form and the page refreshes,he is gonna be plenty mad.
the page has to refresh after the session timeout(after 20 minutes of inactivity).

thanks
0
 

Author Comment

by:p_arsoor
Comment Utility
any one willing to give it a try?.my code refreshes the page after 21 minutes(CStr(CInt(Session.Timeout + 1) * 60)
)

thats is not a good thing.if the user is filling out a long form and the page refreshes,he is gonna be plenty mad.
the page has to refresh after the session timeout(after 20 minutes of inactivity).

thanks
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 10

Expert Comment

by:makerp
Comment Utility
whats the url
0
 

Author Comment

by:p_arsoor
Comment Utility
what URL?

you mean this part of my code?.
Session("RequestedURL") = "http://" & _
        Request.ServerVariables("SERVER_NAME") & _
         Request.ServerVariables("SCRIPT_NAME")

    Temp = Request.ServerVariables("QUERY_STRING")
    If (Not(ISNull(Temp)) AND Temp <> "") Then
         Session("RequestedURL") = Session("RequestedURL") & _
             "?" & Temp
    End If

i do not understand that either.i guess thats not so imp.this is what is imp to me.

<%Response.AddHeader "Refresh",CStr(CInt(Session.Timeout + 1) * 60)
Response.AddHeader "cache-control", "private"
Response.AddHeader "Pragma","No-Cache"
Response.Buffer = TRUE
Response.Expires = 0
Response.ExpiresAbsolute = 0

If Session("UserId") = "" Then
    Response.Redirect("../default.asp")
End If
%>
0
 
LVL 19

Expert Comment

by:webwoman
Comment Utility
Here's where the problem is -- you've got no way to force the user to redirect ONLY when the session times out.

You can set a cookie or other variable to trigger when they leave or reload the page -- but if they never close it, it's going to sit there.

You can set a meta refresh for a certain time -- but if they DON'T need the refresh, it's still going to happen.

You don't have a way to PUSH something to the client when, and only when, the session times out. Even if you did, there's no guarantee -- what if they disconnect from however they've connected, and leave the browser open? The page will still be there until they close the browser, and you can't do ANYTHING about it -- they're not even connected to your server.

I've seen plenty of sites that timed out -- but ONLY when you attempted to reconnect to them, whether by reloading the page, going to another page on the site, etc. NOT automatically.
0
 
LVL 10

Expert Comment

by:makerp
Comment Utility
webwoman is right, the web is a PULL based technology. ypu could always set a javascript timer that when expires redirects the apge on the client side
0
 

Author Comment

by:p_arsoor
Comment Utility
www.myciti.com is doing that.
when the session is about to expire,a window pops out which asks "there is no activity for some time,would you like to continue"

if the user selects yes,it won't time out.if the user selects no or ignores it,the session will expire and brought back to login screen.
0
 
LVL 4

Expert Comment

by:epeele
Comment Utility
so is that what you'd like to implement?  The timer like at myciti.com?
0
 

Author Comment

by:p_arsoor
Comment Utility
hi epeele
   how are you?.
yes,exactly like that.can you help?.thanks
0
 
LVL 4

Expert Comment

by:epeele
Comment Utility
I'll see what I can whip up. :)
0
 
LVL 4

Expert Comment

by:vindevogel
Comment Utility
p arsoor

In the global.asa, you have the session_end() event.
I think you should program something in there, unfortunately I have to clue what.

But, since I had not seen comment on the global.asa, I wanted to let you know anyway.

Maybe you can test with Response.Redirect in that event.
0
 
LVL 10

Expert Comment

by:makerp
Comment Utility
javascript !
0
 
LVL 4

Accepted Solution

by:
epeele earned 25 total points
Comment Utility
You'll want to have Session.Abandon on the page you redirect to.

<script language=javascript>
     if (navigator.appName == "Netscape"){
          document.captureEvents(Event.KEYPRESS | Event.CLICK);
     }

     document.onkeydown = addTime;
     document.onclick = addTime;
     
     var totalTime = 20;
     
     function setTimer(){
          var toTimer;
         
          tTime = 60000;
          toTimer = setTimeout("checkTime()",tTime);
     
     }
     
     function checkTime(){
          if (totalTime < 1){
               window.location.href="login.asp";
          }else{
               subtractTime();
          }
     }
     
     function subtractTime(){
     
          totalTime = totalTime-1;
          setTimer()
     }
     
     function addTime(){
          if (totalTime < 20){
               totalTime = totalTime + 1;
          }else{
               totalTime = 20;
          }
     }

     setTimer();
</script>
0
 
LVL 14

Expert Comment

by:puranik_p
Comment Utility

        No comment has been added lately, so it's time to clean up this TA.
         I will leave a recommendation in the Cleanup topic area that this question is:

->    Accept epeele's comment as answer

         Please leave any comments here within the next seven days.
         
         PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
         
         puranik_p
         EE Cleanup Volunteer  

0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Hello, all! I just recently started using Microsoft's IIS 7.5 within Windows 7, as I just downloaded and installed the 90 day trial of Windows 7. (Got to love Microsoft for allowing 90 days) The main reason for downloading and testing Windows 7 is t…
I would like to start this tip/trick by saying Thank You, to all who said that this could not be done, as it forced me to make sure that it could be accomplished. :) To start, I want to make sure everyone understands the importance of utilizing p…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now