Link to home
Start Free TrialLog in
Avatar of Pye
Pye

asked on

Login: UserName, Password and PIN.....hmmm...hairloss.

Hello, hope I'm in the right area for this question.

I have a Login page using 3 pieces of info: User Name, Password and PIN. This goes to a success page (coming off a MYSQL Db). The problem is when you successfully log in, the address bar shows:

http://www.thesiteaddress.com/admin~/index_t.asp?id=3

Unfortunately anyone can change the id=3 to id=4 or 5, 6, etc. and access other peoples details. I can't find a solution to prevent this.

I would prefer to have done this all in Dreamweaver MX without separate coding.

I've been giving myself headaches trying to secure this login! If anyone can help I'd appreciate it. The code is below. Cheers Guys & Gals.

PS. Does anyone know a a good AutoResponder script that different people can use from the same site. Logging in for their personalised Autorespond page and mangae their own emails. Preferably using MYSQL Db. I'm using Linux.



-----------------The Login Page

<%@LANGUAGE="VBSCRIPT"%>

<%

'/////login////

response.buffer = true


If request("id") = "verify" then

set dbConn = Server.CreateObject("ADODB.Connection")

dbConn.ConnectionString = "DSN=TheDSN"

dbConn.Open


set rs = Server.CreateObject("ADODB.Recordset")

SQL = "SELECT * FROM tblUsers WHERE UserName = '" & request("username") & "' AND Password = '" & request("Password") & "' AND PinNumber = '" & request("PinNumber") & "'"

set rs = dbConn.Execute(SQL)


If not rs.eof then

While not rs.EOF

group = rs("AccessGroup")

'response.write("group:" & group)

userid = rs("id")

'response.write("userid: " & userid)

rs.movenext

wend

If group = "Paid" then

session("Loggedin")=True
session("id")=userid

'redir = "admin~/index_t.asp

'response.write(redir)

'response.end

response.redirect("admin~/index_t.asp?id=" & userid)

ElseIf group = "NotPaid" then

session("oldloggedin")=True
session("id")=userid

'redir = "notavailable_cust.asp

'response.write(redir)

'response.end

response.redirect("notavailable_cust?id=" & userid)

End If

Else

'/////// redirect page if no match found in database///////

response.redirect("index_ie.asp?id=error")

End If

End If


%>



<SCRIPT runat=SERVER language=VBSCRIPT>
function DoDateTime(str, nNamedFormat, nLCID)
dim strRet
dim nOldLCID

strRet = str
If (nLCID > -1) Then
oldLCID = Session.LCID
End If

On Error Resume Next

If (nLCID > -1) Then
Session.LCID = nLCID
End If

If ((nLCID < 0) Or (Session.LCID = nLCID)) Then
strRet = FormatDateTime(str, nNamedFormat)
End If

If (nLCID > -1) Then
Session.LCID = oldLCID
End If

DoDateTime = strRet
End Function
</SCRIPT>
<HTML>
<HEAD>
<TITLE></TITLE>
<META http-equiv=Content-Type content="text/html; ch****t=iso-8859-1">
<META content="MSHTML 6.00.2800.1126" name=GENERATOR>
</HEAD>
<BODY bgcolor=#ffffff leftmargin=0 topmargin=0>
<TABLE cellspacing=0 cellpadding=0 width="100%" border=0>
<TBODY>
<TR valign="top">
<TD height="453">
<TABLE cellspacing=0 cellpadding=0 width="100%"
border=0>
<TBODY>
<TR>
<TD valign=middle colspan=3>
<TABLE width="740" border=0 align=left cellpadding=0 cellspacing=0>
<TBODY>
<TR>
<TD width="575" valign="top">
<TABLE width="100%" border=0 cellpadding=0 cellspacing=0>
<TBODY>
<TR>
<TD width="508" valign="top"><!-- ======================= form beginning ==========================//--> <%

if request("id") = "error" then

vartext = "Wrong, please check and try again."

End If

%>
<form name="Login" method="post" action="index_t.asp?id=verify" class="normal"> <form name="Login" method="post" action="/admin~/index_t.asp" class="normal">

<table border="0" align="center" cellpadding="0" cellspacing="0" bgcolor="#99CC66">
<tr>
<td height="18" colspan="2" valign="baseline" class="mainred"><%=vartext%></td>
</tr>
<tr>
<td height="32" colspan="2"><span
class=mainwht11><b><span class=mainblk><span
class=maindrkgrey><span class=mainwht11>Member Area:</span></span></span></b></span> <span
class=mainwht11><b><span class=mainblk></span></b></span></td>
</tr>
<tr>
<td width="106" class="mainwht">User Name</td>
<td width="140"><input class=mainblk maxlength=128
name=UserName size="20">
</td>
</tr>
<tr>
<td class="mainwht">Password</td>
<td width="140"><input class=mainblk type=password
maxlength=20 name=Password size="20">
</td>
</tr>
<tr>
<td class="mainwht">Pin</td>
<td width="140"><input class=mainblk type=password
maxlength=20 name=PinNumber size="20">
</td>
</tr>
<tr>
<td height="28"> </td>
<td width="140"> <input class=maindrkgrey type=submit value="Log In" name=submit>
</td>
</tr>
</table>
</form>
</TD>
</TR>
</TBODY>
</TABLE>
</TD>
</TR>
</TBODY>
</TABLE>
</TD>
<TD valign=top width=482>  </TD>
<TD width=165> </TD>
</TR>
</TBODY>
</TABLE>
</TD>
</TR>
</TBODY>
</TABLE>
</BODY>
</HTML>


-----------------The Success Page

<%@LANGUAGE="VBSCRIPT"%>
<!--#include virtual="/Connections/whatever.asp"-->

<%

response.buffer = true


If request("id") = "verify" then

set dbConn = Server.CreateObject("ADODB.Connection")

dbConn.ConnectionString = "DSN=theDSN"

dbConn.Open


set rs = Server.CreateObject("ADODB.Recordset")

SQL = "SELECT * FROM tblUsers WHERE UserName = '" & request("username") & "' AND Password = '" & request("Password") & "' AND PinNumber = '" & request("PinNumber") & "'"

set rs = dbConn.Execute(SQL)


If not rs.eof then

While not rs.EOF

group = rs("AccessGroup")

'response.write("group:" & group)

userid = rs("id")

'response.write("userid: " & userid)

rs.movenext

wend

If group = "Paid" then

session("Loggedin")=True
session("id")=userid

'redir = "admin~/index_t.asp

'response.write(redir)

'response.end

response.redirect("loggedin?id=" & userid)

ElseIf group = "NotPaid" then

session("oldloggedin")=True
session("id")=userid

'redir = "notavailable_cust.asp

'response.write(redir)

'response.end

response.redirect("notavailable_cust?id=" & userid)

End If

Else

'/////// redirect page if no match found in database///////

response.redirect("../sorrylogin.asp?id=error")

End If

End If


%>


<%


set dbConn = Server.CreateObject("ADODB.Connection")

dbConn.ConnectionString = "DSN=TheDSN"

dbConn.Open



if not session("Loggedin") then

response.redirect("../loggedout.asp")

End If

id=Session("id")

set rs= Server.CreateObject("ADODB.RecordSet")

SQL = "SELECT * from tblUsers where id=" & id

set rs = dbConn.Execute(SQL)


While not rs.EOF


rs.movenext

wend

dbconn.close

%>
<%
Dim rsUsers__MMColParam
rsUsers__MMColParam = "1"
If (Request.QueryString("id") <> "") Then
rsUsers__MMColParam = Request.QueryString("id")
End If
%>
<%
Dim rsUsers
Dim rsUsers_numRows

Set rsUsers = Server.CreateObject("ADODB.Recordset")
rsUsers.ActiveConnection = MM_TheConnection_STRING
rsUsers.Source = "SELECT * FROM tblUsers WHERE id = " + Replace(rsUsers__MMColParam, "'", "''") + ""
rsUsers.CursorType = 0
rsUsers.CursorLocation = 2
rsUsers.LockType = 1
rsUsers.Open()

rsUsers_numRows = 0
%>
<SCRIPT RUNAT=SERVER LANGUAGE=VBSCRIPT>
function DoDateTime(str, nNamedFormat, nLCID)
dim strRet
dim nOldLCID

strRet = str
If (nLCID > -1) Then
oldLCID = Session.LCID
End If

On Error Resume Next

If (nLCID > -1) Then
Session.LCID = nLCID
End If

If ((nLCID < 0) Or (Session.LCID = nLCID)) Then
strRet = FormatDateTime(str, nNamedFormat)
End If

If (nLCID > -1) Then
Session.LCID = oldLCID
End If

DoDateTime = strRet
End Function
</SCRIPT>
<html>
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html; ch****t=iso-8859-1">
</head>
<body>
<%
Response.Write MM_updateStr
%>
<table width="68%" border="0" cellspacing="0" cellpadding="0" align="center">
<tr>
<td>
<table width="100%" cellspacing="0" cellpadding="0" class="mainblk">
<tr class="mainwht11">
<td colspan="9">  </td>
</tr>
</table>
</td>
</tr>
<tr>
<td valign="top" nowrap> <b class="mainblk11"> <img src="../images/spacer.gif" width="4" height="1"><%=(rsUsers.Fields.Item("AdminContactFn").Value)%><img src="../images/spacer.gif" width="1" height="1">
welcome test</b></td>
</tr>
</table>
</body>
</html>
<%
rsUsers.Close()
Set rsUsers = Nothing
%>
ASKER CERTIFIED SOLUTION
Avatar of TreyH
TreyH
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Pye
Pye

ASKER

Hmmm..but I will estimate many people logging in. Using a session variable will degrade the memory on the server, is there another way?
Avatar of Pye

ASKER

Oh and I don't really want to use cookies.
Avatar of Pye

ASKER

Guess I really don't have a choice. How does Experts Exchange do it?

TreyH can you put this code so it works, as you would use it so I can at least get it working (and see the code). :-)

Thanks for your help so far.

Cheers.





Here is some "crude" code that might get you started. I use something similar, but I deal mainly with web database applications that total users at one time would be around 50. Using a couple of small session variables that are strings or numbers doesn't seem to impact performance much. It's when you start getting carried away with them such as storing large arrays, recordsets ect...

Also keep in mind that the end user must accept "Session Cookies" for session variables to work at all. Otherwise a new session id is assigned each time a page is hit.

Sorry for crudeness, didn't have much time and figured you were needing a quick answer.

<%@ LANGUAGE="VBSCRIPT" %>
<% OPTION EXPLICIT %>
<%
Dim action, username, password, hidden
action = Trim(Request.QueryString("action") & "")
username = Trim(Request.Form("UserName") & "")
password = Trim(Request.form("Password") & "")
hidden = Trim(Request.Form("Hidden") & "")

%>
<html>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>New Page </title>
</head>

<body>
<%If Session("Authenticated") <> "YES" And action = "" Then%>

<p>Use &quot;test&quot; for UserName and &quot;test&quot; for Password.</p>

<form method="POST" action="default.asp?action=login">
  <p><input type="text" name="UserName" size="20"><input type="password" name="Password"
  size="20"><input type="submit" value="Submit" name="B1"><input type="reset" value="Reset"
  name="B2"></p>
</form>
<%
Else
Select Case action
     Case "logoff"
          Session("Authenticated") = ""
          Session("Username") = ""
          Response.write "You are now logged off." & "<br>UserName:" & username
          Response.write "<p><a href=Default.asp>Back To Login Page</a></p>"
         
     Case "login"
          'Do your database lookup to match username and password here.
          'For this simple example I simply used an If/Then
          If username = "test" And password = "test" Then
               Session("Authenticated") = "YES"
               Session("Username") = username     ''Or you can use your userid here
               Response.write "You are now authenticated." & "<br>UserName:" & username & "<br>Session Name:" & Session("Username")
               Response.write "<p><a href=Default.asp?action=logoff>Log Off</a></p>"
          Else
               Session("Authenticated") = ""
               Session("Username") = ""
               Response.write "Login Failed For:" & "<br>UserName:" & username
               Response.write "<p><a href=Default.asp>Back To Login Page</a></p>"
          End If
     
     
End Select
%>
<%End If%>
</body>
</html>
Avatar of Pye

ASKER

Hey, thanks Trey.

I'll give this a try.

Really appreciate you taking the time.

P.
Avatar of Pye

ASKER

Hey, thanks Trey.

I'll give this a try.

Really appreciate you taking the time.

P.
Avatar of Pye

ASKER

Thanks, I eventually came out of my coma and realised what I was doing wrong.