?
Solved

Login: UserName, Password and PIN.....hmmm...hairloss.

Posted on 2003-02-22
8
Medium Priority
?
336 Views
Last Modified: 2010-04-17
Hello, hope I'm in the right area for this question.

I have a Login page using 3 pieces of info: User Name, Password and PIN. This goes to a success page (coming off a MYSQL Db). The problem is when you successfully log in, the address bar shows:

http://www.thesiteaddress.com/admin~/index_t.asp?id=3

Unfortunately anyone can change the id=3 to id=4 or 5, 6, etc. and access other peoples details. I can't find a solution to prevent this.

I would prefer to have done this all in Dreamweaver MX without separate coding.

I've been giving myself headaches trying to secure this login! If anyone can help I'd appreciate it. The code is below. Cheers Guys & Gals.

PS. Does anyone know a a good AutoResponder script that different people can use from the same site. Logging in for their personalised Autorespond page and mangae their own emails. Preferably using MYSQL Db. I'm using Linux.



-----------------The Login Page

<%@LANGUAGE="VBSCRIPT"%>

<%

'/////login////

response.buffer = true


If request("id") = "verify" then

set dbConn = Server.CreateObject("ADODB.Connection")

dbConn.ConnectionString = "DSN=TheDSN"

dbConn.Open


set rs = Server.CreateObject("ADODB.Recordset")

SQL = "SELECT * FROM tblUsers WHERE UserName = '" & request("username") & "' AND Password = '" & request("Password") & "' AND PinNumber = '" & request("PinNumber") & "'"

set rs = dbConn.Execute(SQL)


If not rs.eof then

While not rs.EOF

group = rs("AccessGroup")

'response.write("group:" & group)

userid = rs("id")

'response.write("userid: " & userid)

rs.movenext

wend

If group = "Paid" then

session("Loggedin")=True
session("id")=userid

'redir = "admin~/index_t.asp

'response.write(redir)

'response.end

response.redirect("admin~/index_t.asp?id=" & userid)

ElseIf group = "NotPaid" then

session("oldloggedin")=True
session("id")=userid

'redir = "notavailable_cust.asp

'response.write(redir)

'response.end

response.redirect("notavailable_cust?id=" & userid)

End If

Else

'/////// redirect page if no match found in database///////

response.redirect("index_ie.asp?id=error")

End If

End If


%>



<SCRIPT runat=SERVER language=VBSCRIPT>
function DoDateTime(str, nNamedFormat, nLCID)
dim strRet
dim nOldLCID

strRet = str
If (nLCID > -1) Then
oldLCID = Session.LCID
End If

On Error Resume Next

If (nLCID > -1) Then
Session.LCID = nLCID
End If

If ((nLCID < 0) Or (Session.LCID = nLCID)) Then
strRet = FormatDateTime(str, nNamedFormat)
End If

If (nLCID > -1) Then
Session.LCID = oldLCID
End If

DoDateTime = strRet
End Function
</SCRIPT>
<HTML>
<HEAD>
<TITLE></TITLE>
<META http-equiv=Content-Type content="text/html; ch****t=iso-8859-1">
<META content="MSHTML 6.00.2800.1126" name=GENERATOR>
</HEAD>
<BODY bgcolor=#ffffff leftmargin=0 topmargin=0>
<TABLE cellspacing=0 cellpadding=0 width="100%" border=0>
<TBODY>
<TR valign="top">
<TD height="453">
<TABLE cellspacing=0 cellpadding=0 width="100%"
border=0>
<TBODY>
<TR>
<TD valign=middle colspan=3>
<TABLE width="740" border=0 align=left cellpadding=0 cellspacing=0>
<TBODY>
<TR>
<TD width="575" valign="top">
<TABLE width="100%" border=0 cellpadding=0 cellspacing=0>
<TBODY>
<TR>
<TD width="508" valign="top"><!-- ======================= form beginning ==========================//--> <%

if request("id") = "error" then

vartext = "Wrong, please check and try again."

End If

%>
<form name="Login" method="post" action="index_t.asp?id=verify" class="normal"> <form name="Login" method="post" action="/admin~/index_t.asp" class="normal">

<table border="0" align="center" cellpadding="0" cellspacing="0" bgcolor="#99CC66">
<tr>
<td height="18" colspan="2" valign="baseline" class="mainred"><%=vartext%></td>
</tr>
<tr>
<td height="32" colspan="2"><span
class=mainwht11><b><span class=mainblk><span
class=maindrkgrey><span class=mainwht11>Member Area:</span></span></span></b></span> <span
class=mainwht11><b><span class=mainblk></span></b></span></td>
</tr>
<tr>
<td width="106" class="mainwht">User Name</td>
<td width="140"><input class=mainblk maxlength=128
name=UserName size="20">
</td>
</tr>
<tr>
<td class="mainwht">Password</td>
<td width="140"><input class=mainblk type=password
maxlength=20 name=Password size="20">
</td>
</tr>
<tr>
<td class="mainwht">Pin</td>
<td width="140"><input class=mainblk type=password
maxlength=20 name=PinNumber size="20">
</td>
</tr>
<tr>
<td height="28"> </td>
<td width="140"> <input class=maindrkgrey type=submit value="Log In" name=submit>
</td>
</tr>
</table>
</form>
</TD>
</TR>
</TBODY>
</TABLE>
</TD>
</TR>
</TBODY>
</TABLE>
</TD>
<TD valign=top width=482>  </TD>
<TD width=165> </TD>
</TR>
</TBODY>
</TABLE>
</TD>
</TR>
</TBODY>
</TABLE>
</BODY>
</HTML>


-----------------The Success Page

<%@LANGUAGE="VBSCRIPT"%>
<!--#include virtual="/Connections/whatever.asp"-->

<%

response.buffer = true


If request("id") = "verify" then

set dbConn = Server.CreateObject("ADODB.Connection")

dbConn.ConnectionString = "DSN=theDSN"

dbConn.Open


set rs = Server.CreateObject("ADODB.Recordset")

SQL = "SELECT * FROM tblUsers WHERE UserName = '" & request("username") & "' AND Password = '" & request("Password") & "' AND PinNumber = '" & request("PinNumber") & "'"

set rs = dbConn.Execute(SQL)


If not rs.eof then

While not rs.EOF

group = rs("AccessGroup")

'response.write("group:" & group)

userid = rs("id")

'response.write("userid: " & userid)

rs.movenext

wend

If group = "Paid" then

session("Loggedin")=True
session("id")=userid

'redir = "admin~/index_t.asp

'response.write(redir)

'response.end

response.redirect("loggedin?id=" & userid)

ElseIf group = "NotPaid" then

session("oldloggedin")=True
session("id")=userid

'redir = "notavailable_cust.asp

'response.write(redir)

'response.end

response.redirect("notavailable_cust?id=" & userid)

End If

Else

'/////// redirect page if no match found in database///////

response.redirect("../sorrylogin.asp?id=error")

End If

End If


%>


<%


set dbConn = Server.CreateObject("ADODB.Connection")

dbConn.ConnectionString = "DSN=TheDSN"

dbConn.Open



if not session("Loggedin") then

response.redirect("../loggedout.asp")

End If

id=Session("id")

set rs= Server.CreateObject("ADODB.RecordSet")

SQL = "SELECT * from tblUsers where id=" & id

set rs = dbConn.Execute(SQL)


While not rs.EOF


rs.movenext

wend

dbconn.close

%>
<%
Dim rsUsers__MMColParam
rsUsers__MMColParam = "1"
If (Request.QueryString("id") <> "") Then
rsUsers__MMColParam = Request.QueryString("id")
End If
%>
<%
Dim rsUsers
Dim rsUsers_numRows

Set rsUsers = Server.CreateObject("ADODB.Recordset")
rsUsers.ActiveConnection = MM_TheConnection_STRING
rsUsers.Source = "SELECT * FROM tblUsers WHERE id = " + Replace(rsUsers__MMColParam, "'", "''") + ""
rsUsers.CursorType = 0
rsUsers.CursorLocation = 2
rsUsers.LockType = 1
rsUsers.Open()

rsUsers_numRows = 0
%>
<SCRIPT RUNAT=SERVER LANGUAGE=VBSCRIPT>
function DoDateTime(str, nNamedFormat, nLCID)
dim strRet
dim nOldLCID

strRet = str
If (nLCID > -1) Then
oldLCID = Session.LCID
End If

On Error Resume Next

If (nLCID > -1) Then
Session.LCID = nLCID
End If

If ((nLCID < 0) Or (Session.LCID = nLCID)) Then
strRet = FormatDateTime(str, nNamedFormat)
End If

If (nLCID > -1) Then
Session.LCID = oldLCID
End If

DoDateTime = strRet
End Function
</SCRIPT>
<html>
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html; ch****t=iso-8859-1">
</head>
<body>
<%
Response.Write MM_updateStr
%>
<table width="68%" border="0" cellspacing="0" cellpadding="0" align="center">
<tr>
<td>
<table width="100%" cellspacing="0" cellpadding="0" class="mainblk">
<tr class="mainwht11">
<td colspan="9">  </td>
</tr>
</table>
</td>
</tr>
<tr>
<td valign="top" nowrap> <b class="mainblk11"> <img src="../images/spacer.gif" width="4" height="1"><%=(rsUsers.Fields.Item("AdminContactFn").Value)%><img src="../images/spacer.gif" width="1" height="1">
welcome test</b></td>
</tr>
</table>
</body>
</html>
<%
rsUsers.Close()
Set rsUsers = Nothing
%>
0
Comment
Question by:Pye
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
8 Comments
 
LVL 11

Accepted Solution

by:
TreyH earned 60 total points
ID: 7999479
Instead of using "request.querystring", post a form instead. When using "request.form" the data passed is not visible int the http request line. You could then use a
session variable to store the user id once they are authorized.
0
 

Author Comment

by:Pye
ID: 7999501
Hmmm..but I will estimate many people logging in. Using a session variable will degrade the memory on the server, is there another way?
0
 

Author Comment

by:Pye
ID: 7999516
Oh and I don't really want to use cookies.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Pye
ID: 8001723
Guess I really don't have a choice. How does Experts Exchange do it?

TreyH can you put this code so it works, as you would use it so I can at least get it working (and see the code). :-)

Thanks for your help so far.

Cheers.





0
 
LVL 11

Expert Comment

by:TreyH
ID: 8003889
Here is some "crude" code that might get you started. I use something similar, but I deal mainly with web database applications that total users at one time would be around 50. Using a couple of small session variables that are strings or numbers doesn't seem to impact performance much. It's when you start getting carried away with them such as storing large arrays, recordsets ect...

Also keep in mind that the end user must accept "Session Cookies" for session variables to work at all. Otherwise a new session id is assigned each time a page is hit.

Sorry for crudeness, didn't have much time and figured you were needing a quick answer.

<%@ LANGUAGE="VBSCRIPT" %>
<% OPTION EXPLICIT %>
<%
Dim action, username, password, hidden
action = Trim(Request.QueryString("action") & "")
username = Trim(Request.Form("UserName") & "")
password = Trim(Request.form("Password") & "")
hidden = Trim(Request.Form("Hidden") & "")

%>
<html>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>New Page </title>
</head>

<body>
<%If Session("Authenticated") <> "YES" And action = "" Then%>

<p>Use &quot;test&quot; for UserName and &quot;test&quot; for Password.</p>

<form method="POST" action="default.asp?action=login">
  <p><input type="text" name="UserName" size="20"><input type="password" name="Password"
  size="20"><input type="submit" value="Submit" name="B1"><input type="reset" value="Reset"
  name="B2"></p>
</form>
<%
Else
Select Case action
     Case "logoff"
          Session("Authenticated") = ""
          Session("Username") = ""
          Response.write "You are now logged off." & "<br>UserName:" & username
          Response.write "<p><a href=Default.asp>Back To Login Page</a></p>"
         
     Case "login"
          'Do your database lookup to match username and password here.
          'For this simple example I simply used an If/Then
          If username = "test" And password = "test" Then
               Session("Authenticated") = "YES"
               Session("Username") = username     ''Or you can use your userid here
               Response.write "You are now authenticated." & "<br>UserName:" & username & "<br>Session Name:" & Session("Username")
               Response.write "<p><a href=Default.asp?action=logoff>Log Off</a></p>"
          Else
               Session("Authenticated") = ""
               Session("Username") = ""
               Response.write "Login Failed For:" & "<br>UserName:" & username
               Response.write "<p><a href=Default.asp>Back To Login Page</a></p>"
          End If
     
     
End Select
%>
<%End If%>
</body>
</html>
0
 

Author Comment

by:Pye
ID: 8003905
Hey, thanks Trey.

I'll give this a try.

Really appreciate you taking the time.

P.
0
 

Author Comment

by:Pye
ID: 8004032
Hey, thanks Trey.

I'll give this a try.

Really appreciate you taking the time.

P.
0
 

Author Comment

by:Pye
ID: 8078718
Thanks, I eventually came out of my coma and realised what I was doing wrong.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Whether you’re a college noob or a soon-to-be pro, these tips are sure to help you in your journey to becoming a programming ninja and stand out from the crowd.
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
Simple Linear Regression
Starting up a Project

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question