?
Solved

Login: UserName, Password and PIN.....hmmm...hairloss.

Posted on 2003-02-22
8
Medium Priority
?
348 Views
Last Modified: 2010-04-17
Hello, hope I'm in the right area for this question.

I have a Login page using 3 pieces of info: User Name, Password and PIN. This goes to a success page (coming off a MYSQL Db). The problem is when you successfully log in, the address bar shows:

http://www.thesiteaddress.com/admin~/index_t.asp?id=3

Unfortunately anyone can change the id=3 to id=4 or 5, 6, etc. and access other peoples details. I can't find a solution to prevent this.

I would prefer to have done this all in Dreamweaver MX without separate coding.

I've been giving myself headaches trying to secure this login! If anyone can help I'd appreciate it. The code is below. Cheers Guys & Gals.

PS. Does anyone know a a good AutoResponder script that different people can use from the same site. Logging in for their personalised Autorespond page and mangae their own emails. Preferably using MYSQL Db. I'm using Linux.



-----------------The Login Page

<%@LANGUAGE="VBSCRIPT"%>

<%

'/////login////

response.buffer = true


If request("id") = "verify" then

set dbConn = Server.CreateObject("ADODB.Connection")

dbConn.ConnectionString = "DSN=TheDSN"

dbConn.Open


set rs = Server.CreateObject("ADODB.Recordset")

SQL = "SELECT * FROM tblUsers WHERE UserName = '" & request("username") & "' AND Password = '" & request("Password") & "' AND PinNumber = '" & request("PinNumber") & "'"

set rs = dbConn.Execute(SQL)


If not rs.eof then

While not rs.EOF

group = rs("AccessGroup")

'response.write("group:" & group)

userid = rs("id")

'response.write("userid: " & userid)

rs.movenext

wend

If group = "Paid" then

session("Loggedin")=True
session("id")=userid

'redir = "admin~/index_t.asp

'response.write(redir)

'response.end

response.redirect("admin~/index_t.asp?id=" & userid)

ElseIf group = "NotPaid" then

session("oldloggedin")=True
session("id")=userid

'redir = "notavailable_cust.asp

'response.write(redir)

'response.end

response.redirect("notavailable_cust?id=" & userid)

End If

Else

'/////// redirect page if no match found in database///////

response.redirect("index_ie.asp?id=error")

End If

End If


%>



<SCRIPT runat=SERVER language=VBSCRIPT>
function DoDateTime(str, nNamedFormat, nLCID)
dim strRet
dim nOldLCID

strRet = str
If (nLCID > -1) Then
oldLCID = Session.LCID
End If

On Error Resume Next

If (nLCID > -1) Then
Session.LCID = nLCID
End If

If ((nLCID < 0) Or (Session.LCID = nLCID)) Then
strRet = FormatDateTime(str, nNamedFormat)
End If

If (nLCID > -1) Then
Session.LCID = oldLCID
End If

DoDateTime = strRet
End Function
</SCRIPT>
<HTML>
<HEAD>
<TITLE></TITLE>
<META http-equiv=Content-Type content="text/html; ch****t=iso-8859-1">
<META content="MSHTML 6.00.2800.1126" name=GENERATOR>
</HEAD>
<BODY bgcolor=#ffffff leftmargin=0 topmargin=0>
<TABLE cellspacing=0 cellpadding=0 width="100%" border=0>
<TBODY>
<TR valign="top">
<TD height="453">
<TABLE cellspacing=0 cellpadding=0 width="100%"
border=0>
<TBODY>
<TR>
<TD valign=middle colspan=3>
<TABLE width="740" border=0 align=left cellpadding=0 cellspacing=0>
<TBODY>
<TR>
<TD width="575" valign="top">
<TABLE width="100%" border=0 cellpadding=0 cellspacing=0>
<TBODY>
<TR>
<TD width="508" valign="top"><!-- ======================= form beginning ==========================//--> <%

if request("id") = "error" then

vartext = "Wrong, please check and try again."

End If

%>
<form name="Login" method="post" action="index_t.asp?id=verify" class="normal"> <form name="Login" method="post" action="/admin~/index_t.asp" class="normal">

<table border="0" align="center" cellpadding="0" cellspacing="0" bgcolor="#99CC66">
<tr>
<td height="18" colspan="2" valign="baseline" class="mainred"><%=vartext%></td>
</tr>
<tr>
<td height="32" colspan="2"><span
class=mainwht11><b><span class=mainblk><span
class=maindrkgrey><span class=mainwht11>Member Area:</span></span></span></b></span> <span
class=mainwht11><b><span class=mainblk></span></b></span></td>
</tr>
<tr>
<td width="106" class="mainwht">User Name</td>
<td width="140"><input class=mainblk maxlength=128
name=UserName size="20">
</td>
</tr>
<tr>
<td class="mainwht">Password</td>
<td width="140"><input class=mainblk type=password
maxlength=20 name=Password size="20">
</td>
</tr>
<tr>
<td class="mainwht">Pin</td>
<td width="140"><input class=mainblk type=password
maxlength=20 name=PinNumber size="20">
</td>
</tr>
<tr>
<td height="28"> </td>
<td width="140"> <input class=maindrkgrey type=submit value="Log In" name=submit>
</td>
</tr>
</table>
</form>
</TD>
</TR>
</TBODY>
</TABLE>
</TD>
</TR>
</TBODY>
</TABLE>
</TD>
<TD valign=top width=482>  </TD>
<TD width=165> </TD>
</TR>
</TBODY>
</TABLE>
</TD>
</TR>
</TBODY>
</TABLE>
</BODY>
</HTML>


-----------------The Success Page

<%@LANGUAGE="VBSCRIPT"%>
<!--#include virtual="/Connections/whatever.asp"-->

<%

response.buffer = true


If request("id") = "verify" then

set dbConn = Server.CreateObject("ADODB.Connection")

dbConn.ConnectionString = "DSN=theDSN"

dbConn.Open


set rs = Server.CreateObject("ADODB.Recordset")

SQL = "SELECT * FROM tblUsers WHERE UserName = '" & request("username") & "' AND Password = '" & request("Password") & "' AND PinNumber = '" & request("PinNumber") & "'"

set rs = dbConn.Execute(SQL)


If not rs.eof then

While not rs.EOF

group = rs("AccessGroup")

'response.write("group:" & group)

userid = rs("id")

'response.write("userid: " & userid)

rs.movenext

wend

If group = "Paid" then

session("Loggedin")=True
session("id")=userid

'redir = "admin~/index_t.asp

'response.write(redir)

'response.end

response.redirect("loggedin?id=" & userid)

ElseIf group = "NotPaid" then

session("oldloggedin")=True
session("id")=userid

'redir = "notavailable_cust.asp

'response.write(redir)

'response.end

response.redirect("notavailable_cust?id=" & userid)

End If

Else

'/////// redirect page if no match found in database///////

response.redirect("../sorrylogin.asp?id=error")

End If

End If


%>


<%


set dbConn = Server.CreateObject("ADODB.Connection")

dbConn.ConnectionString = "DSN=TheDSN"

dbConn.Open



if not session("Loggedin") then

response.redirect("../loggedout.asp")

End If

id=Session("id")

set rs= Server.CreateObject("ADODB.RecordSet")

SQL = "SELECT * from tblUsers where id=" & id

set rs = dbConn.Execute(SQL)


While not rs.EOF


rs.movenext

wend

dbconn.close

%>
<%
Dim rsUsers__MMColParam
rsUsers__MMColParam = "1"
If (Request.QueryString("id") <> "") Then
rsUsers__MMColParam = Request.QueryString("id")
End If
%>
<%
Dim rsUsers
Dim rsUsers_numRows

Set rsUsers = Server.CreateObject("ADODB.Recordset")
rsUsers.ActiveConnection = MM_TheConnection_STRING
rsUsers.Source = "SELECT * FROM tblUsers WHERE id = " + Replace(rsUsers__MMColParam, "'", "''") + ""
rsUsers.CursorType = 0
rsUsers.CursorLocation = 2
rsUsers.LockType = 1
rsUsers.Open()

rsUsers_numRows = 0
%>
<SCRIPT RUNAT=SERVER LANGUAGE=VBSCRIPT>
function DoDateTime(str, nNamedFormat, nLCID)
dim strRet
dim nOldLCID

strRet = str
If (nLCID > -1) Then
oldLCID = Session.LCID
End If

On Error Resume Next

If (nLCID > -1) Then
Session.LCID = nLCID
End If

If ((nLCID < 0) Or (Session.LCID = nLCID)) Then
strRet = FormatDateTime(str, nNamedFormat)
End If

If (nLCID > -1) Then
Session.LCID = oldLCID
End If

DoDateTime = strRet
End Function
</SCRIPT>
<html>
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html; ch****t=iso-8859-1">
</head>
<body>
<%
Response.Write MM_updateStr
%>
<table width="68%" border="0" cellspacing="0" cellpadding="0" align="center">
<tr>
<td>
<table width="100%" cellspacing="0" cellpadding="0" class="mainblk">
<tr class="mainwht11">
<td colspan="9">  </td>
</tr>
</table>
</td>
</tr>
<tr>
<td valign="top" nowrap> <b class="mainblk11"> <img src="../images/spacer.gif" width="4" height="1"><%=(rsUsers.Fields.Item("AdminContactFn").Value)%><img src="../images/spacer.gif" width="1" height="1">
welcome test</b></td>
</tr>
</table>
</body>
</html>
<%
rsUsers.Close()
Set rsUsers = Nothing
%>
0
Comment
Question by:Pye
  • 6
  • 2
8 Comments
 
LVL 11

Accepted Solution

by:
TreyH earned 60 total points
ID: 7999479
Instead of using "request.querystring", post a form instead. When using "request.form" the data passed is not visible int the http request line. You could then use a
session variable to store the user id once they are authorized.
0
 

Author Comment

by:Pye
ID: 7999501
Hmmm..but I will estimate many people logging in. Using a session variable will degrade the memory on the server, is there another way?
0
 

Author Comment

by:Pye
ID: 7999516
Oh and I don't really want to use cookies.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:Pye
ID: 8001723
Guess I really don't have a choice. How does Experts Exchange do it?

TreyH can you put this code so it works, as you would use it so I can at least get it working (and see the code). :-)

Thanks for your help so far.

Cheers.





0
 
LVL 11

Expert Comment

by:TreyH
ID: 8003889
Here is some "crude" code that might get you started. I use something similar, but I deal mainly with web database applications that total users at one time would be around 50. Using a couple of small session variables that are strings or numbers doesn't seem to impact performance much. It's when you start getting carried away with them such as storing large arrays, recordsets ect...

Also keep in mind that the end user must accept "Session Cookies" for session variables to work at all. Otherwise a new session id is assigned each time a page is hit.

Sorry for crudeness, didn't have much time and figured you were needing a quick answer.

<%@ LANGUAGE="VBSCRIPT" %>
<% OPTION EXPLICIT %>
<%
Dim action, username, password, hidden
action = Trim(Request.QueryString("action") & "")
username = Trim(Request.Form("UserName") & "")
password = Trim(Request.form("Password") & "")
hidden = Trim(Request.Form("Hidden") & "")

%>
<html>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>New Page </title>
</head>

<body>
<%If Session("Authenticated") <> "YES" And action = "" Then%>

<p>Use &quot;test&quot; for UserName and &quot;test&quot; for Password.</p>

<form method="POST" action="default.asp?action=login">
  <p><input type="text" name="UserName" size="20"><input type="password" name="Password"
  size="20"><input type="submit" value="Submit" name="B1"><input type="reset" value="Reset"
  name="B2"></p>
</form>
<%
Else
Select Case action
     Case "logoff"
          Session("Authenticated") = ""
          Session("Username") = ""
          Response.write "You are now logged off." & "<br>UserName:" & username
          Response.write "<p><a href=Default.asp>Back To Login Page</a></p>"
         
     Case "login"
          'Do your database lookup to match username and password here.
          'For this simple example I simply used an If/Then
          If username = "test" And password = "test" Then
               Session("Authenticated") = "YES"
               Session("Username") = username     ''Or you can use your userid here
               Response.write "You are now authenticated." & "<br>UserName:" & username & "<br>Session Name:" & Session("Username")
               Response.write "<p><a href=Default.asp?action=logoff>Log Off</a></p>"
          Else
               Session("Authenticated") = ""
               Session("Username") = ""
               Response.write "Login Failed For:" & "<br>UserName:" & username
               Response.write "<p><a href=Default.asp>Back To Login Page</a></p>"
          End If
     
     
End Select
%>
<%End If%>
</body>
</html>
0
 

Author Comment

by:Pye
ID: 8003905
Hey, thanks Trey.

I'll give this a try.

Really appreciate you taking the time.

P.
0
 

Author Comment

by:Pye
ID: 8004032
Hey, thanks Trey.

I'll give this a try.

Really appreciate you taking the time.

P.
0
 

Author Comment

by:Pye
ID: 8078718
Thanks, I eventually came out of my coma and realised what I was doing wrong.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post we will learn how to connect and configure Android Device (Smartphone etc.) with Android Studio. After that we will run a simple Hello World Program.
Today, the web development industry is booming, and many people consider it to be their vocation. The question you may be asking yourself is – how do I become a web developer?
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…
Progress

616 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question