Pye
asked on
Login: UserName, Password and PIN.....hmmm...hairloss.
Hello, hope I'm in the right area for this question.
I have a Login page using 3 pieces of info: User Name, Password and PIN. This goes to a success page (coming off a MYSQL Db). The problem is when you successfully log in, the address bar shows:
http://www.thesiteaddress.com/admin~/index_t.asp?id=3
Unfortunately anyone can change the id=3 to id=4 or 5, 6, etc. and access other peoples details. I can't find a solution to prevent this.
I would prefer to have done this all in Dreamweaver MX without separate coding.
I've been giving myself headaches trying to secure this login! If anyone can help I'd appreciate it. The code is below. Cheers Guys & Gals.
PS. Does anyone know a a good AutoResponder script that different people can use from the same site. Logging in for their personalised Autorespond page and mangae their own emails. Preferably using MYSQL Db. I'm using Linux.
-----------------The Login Page
<%@LANGUAGE="VBSCRIPT"%>
<%
'/////login////
response.buffer = true
If request("id") = "verify" then
set dbConn = Server.CreateObject("ADODB .Connectio n")
dbConn.ConnectionString = "DSN=TheDSN"
dbConn.Open
set rs = Server.CreateObject("ADODB .Recordset ")
SQL = "SELECT * FROM tblUsers WHERE UserName = '" & request("username") & "' AND Password = '" & request("Password") & "' AND PinNumber = '" & request("PinNumber") & "'"
set rs = dbConn.Execute(SQL)
If not rs.eof then
While not rs.EOF
group = rs("AccessGroup")
'response.write("group:" & group)
userid = rs("id")
'response.write("userid: " & userid)
rs.movenext
wend
If group = "Paid" then
session("Loggedin")=True
session("id")=userid
'redir = "admin~/index_t.asp
'response.write(redir)
'response.end
response.redirect("admin~/ index_t.as p?id=" & userid)
ElseIf group = "NotPaid" then
session("oldloggedin")=Tru e
session("id")=userid
'redir = "notavailable_cust.asp
'response.write(redir)
'response.end
response.redirect("notavai lable_cust ?id=" & userid)
End If
Else
'/////// redirect page if no match found in database///////
response.redirect("index_i e.asp?id=e rror")
End If
End If
%>
<SCRIPT runat=SERVER language=VBSCRIPT>
function DoDateTime(str, nNamedFormat, nLCID)
dim strRet
dim nOldLCID
strRet = str
If (nLCID > -1) Then
oldLCID = Session.LCID
End If
On Error Resume Next
If (nLCID > -1) Then
Session.LCID = nLCID
End If
If ((nLCID < 0) Or (Session.LCID = nLCID)) Then
strRet = FormatDateTime(str, nNamedFormat)
End If
If (nLCID > -1) Then
Session.LCID = oldLCID
End If
DoDateTime = strRet
End Function
</SCRIPT>
<HTML>
<HEAD>
<TITLE></TITLE>
<META http-equiv=Content-Type content="text/html; ch****t=iso-8859-1">
<META content="MSHTML 6.00.2800.1126" name=GENERATOR>
</HEAD>
<BODY bgcolor=#ffffff leftmargin=0 topmargin=0>
<TABLE cellspacing=0 cellpadding=0 width="100%" border=0>
<TBODY>
<TR valign="top">
<TD height="453">
<TABLE cellspacing=0 cellpadding=0 width="100%"
border=0>
<TBODY>
<TR>
<TD valign=middle colspan=3>
<TABLE width="740" border=0 align=left cellpadding=0 cellspacing=0>
<TBODY>
<TR>
<TD width="575" valign="top">
<TABLE width="100%" border=0 cellpadding=0 cellspacing=0>
<TBODY>
<TR>
<TD width="508" valign="top"><!-- ======================= form beginning ========================== //--> <%
if request("id") = "error" then
vartext = "Wrong, please check and try again."
End If
%>
<form name="Login" method="post" action="index_t.asp?id=ver ify" class="normal"> <form name="Login" method="post" action="/admin~/index_t.as p" class="normal">
<table border="0" align="center" cellpadding="0" cellspacing="0" bgcolor="#99CC66">
<tr>
<td height="18" colspan="2" valign="baseline" class="mainred"><%=vartext %></td>
</tr>
<tr>
<td height="32" colspan="2"><span
class=mainwht11><b><span class=mainblk><span
class=maindrkgrey><span class=mainwht11>Member Area:</span></span></span> </b></span > <span
class=mainwht11><b><span class=mainblk></span></b>< /span></td >
</tr>
<tr>
<td width="106" class="mainwht">User Name</td>
<td width="140"><input class=mainblk maxlength=128
name=UserName size="20">
</td>
</tr>
<tr>
<td class="mainwht">Password</ td>
<td width="140"><input class=mainblk type=password
maxlength=20 name=Password size="20">
</td>
</tr>
<tr>
<td class="mainwht">Pin</td>
<td width="140"><input class=mainblk type=password
maxlength=20 name=PinNumber size="20">
</td>
</tr>
<tr>
<td height="28"> </td>
<td width="140"> <input class=maindrkgrey type=submit value="Log In" name=submit>
</td>
</tr>
</table>
</form>
</TD>
</TR>
</TBODY>
</TABLE>
</TD>
</TR>
</TBODY>
</TABLE>
</TD>
<TD valign=top width=482> </TD>
<TD width=165> </TD>
</TR>
</TBODY>
</TABLE>
</TD>
</TR>
</TBODY>
</TABLE>
</BODY>
</HTML>
-----------------The Success Page
<%@LANGUAGE="VBSCRIPT"%>
<!--#include virtual="/Connections/what ever.asp"- ->
<%
response.buffer = true
If request("id") = "verify" then
set dbConn = Server.CreateObject("ADODB .Connectio n")
dbConn.ConnectionString = "DSN=theDSN"
dbConn.Open
set rs = Server.CreateObject("ADODB .Recordset ")
SQL = "SELECT * FROM tblUsers WHERE UserName = '" & request("username") & "' AND Password = '" & request("Password") & "' AND PinNumber = '" & request("PinNumber") & "'"
set rs = dbConn.Execute(SQL)
If not rs.eof then
While not rs.EOF
group = rs("AccessGroup")
'response.write("group:" & group)
userid = rs("id")
'response.write("userid: " & userid)
rs.movenext
wend
If group = "Paid" then
session("Loggedin")=True
session("id")=userid
'redir = "admin~/index_t.asp
'response.write(redir)
'response.end
response.redirect("loggedi n?id=" & userid)
ElseIf group = "NotPaid" then
session("oldloggedin")=Tru e
session("id")=userid
'redir = "notavailable_cust.asp
'response.write(redir)
'response.end
response.redirect("notavai lable_cust ?id=" & userid)
End If
Else
'/////// redirect page if no match found in database///////
response.redirect("../sorr ylogin.asp ?id=error" )
End If
End If
%>
<%
set dbConn = Server.CreateObject("ADODB .Connectio n")
dbConn.ConnectionString = "DSN=TheDSN"
dbConn.Open
if not session("Loggedin") then
response.redirect("../logg edout.asp" )
End If
id=Session("id")
set rs= Server.CreateObject("ADODB .RecordSet ")
SQL = "SELECT * from tblUsers where id=" & id
set rs = dbConn.Execute(SQL)
While not rs.EOF
rs.movenext
wend
dbconn.close
%>
<%
Dim rsUsers__MMColParam
rsUsers__MMColParam = "1"
If (Request.QueryString("id") <> "") Then
rsUsers__MMColParam = Request.QueryString("id")
End If
%>
<%
Dim rsUsers
Dim rsUsers_numRows
Set rsUsers = Server.CreateObject("ADODB .Recordset ")
rsUsers.ActiveConnection = MM_TheConnection_STRING
rsUsers.Source = "SELECT * FROM tblUsers WHERE id = " + Replace(rsUsers__MMColPara m, "'", "''") + ""
rsUsers.CursorType = 0
rsUsers.CursorLocation = 2
rsUsers.LockType = 1
rsUsers.Open()
rsUsers_numRows = 0
%>
<SCRIPT RUNAT=SERVER LANGUAGE=VBSCRIPT>
function DoDateTime(str, nNamedFormat, nLCID)
dim strRet
dim nOldLCID
strRet = str
If (nLCID > -1) Then
oldLCID = Session.LCID
End If
On Error Resume Next
If (nLCID > -1) Then
Session.LCID = nLCID
End If
If ((nLCID < 0) Or (Session.LCID = nLCID)) Then
strRet = FormatDateTime(str, nNamedFormat)
End If
If (nLCID > -1) Then
Session.LCID = oldLCID
End If
DoDateTime = strRet
End Function
</SCRIPT>
<html>
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html; ch****t=iso-8859-1">
</head>
<body>
<%
Response.Write MM_updateStr
%>
<table width="68%" border="0" cellspacing="0" cellpadding="0" align="center">
<tr>
<td>
<table width="100%" cellspacing="0" cellpadding="0" class="mainblk">
<tr class="mainwht11">
<td colspan="9"> </td>
</tr>
</table>
</td>
</tr>
<tr>
<td valign="top" nowrap> <b class="mainblk11"> <img src="../images/spacer.gif" width="4" height="1"><%=(rsUsers.Fie lds.Item(" AdminConta ctFn").Val ue)%><img src="../images/spacer.gif" width="1" height="1">
welcome test</b></td>
</tr>
</table>
</body>
</html>
<%
rsUsers.Close()
Set rsUsers = Nothing
%>
I have a Login page using 3 pieces of info: User Name, Password and PIN. This goes to a success page (coming off a MYSQL Db). The problem is when you successfully log in, the address bar shows:
http://www.thesiteaddress.com/admin~/index_t.asp?id=3
Unfortunately anyone can change the id=3 to id=4 or 5, 6, etc. and access other peoples details. I can't find a solution to prevent this.
I would prefer to have done this all in Dreamweaver MX without separate coding.
I've been giving myself headaches trying to secure this login! If anyone can help I'd appreciate it. The code is below. Cheers Guys & Gals.
PS. Does anyone know a a good AutoResponder script that different people can use from the same site. Logging in for their personalised Autorespond page and mangae their own emails. Preferably using MYSQL Db. I'm using Linux.
-----------------The Login Page
<%@LANGUAGE="VBSCRIPT"%>
<%
'/////login////
response.buffer = true
If request("id") = "verify" then
set dbConn = Server.CreateObject("ADODB
dbConn.ConnectionString = "DSN=TheDSN"
dbConn.Open
set rs = Server.CreateObject("ADODB
SQL = "SELECT * FROM tblUsers WHERE UserName = '" & request("username") & "' AND Password = '" & request("Password") & "' AND PinNumber = '" & request("PinNumber") & "'"
set rs = dbConn.Execute(SQL)
If not rs.eof then
While not rs.EOF
group = rs("AccessGroup")
'response.write("group:" & group)
userid = rs("id")
'response.write("userid: " & userid)
rs.movenext
wend
If group = "Paid" then
session("Loggedin")=True
session("id")=userid
'redir = "admin~/index_t.asp
'response.write(redir)
'response.end
response.redirect("admin~/
ElseIf group = "NotPaid" then
session("oldloggedin")=Tru
session("id")=userid
'redir = "notavailable_cust.asp
'response.write(redir)
'response.end
response.redirect("notavai
End If
Else
'/////// redirect page if no match found in database///////
response.redirect("index_i
End If
End If
%>
<SCRIPT runat=SERVER language=VBSCRIPT>
function DoDateTime(str, nNamedFormat, nLCID)
dim strRet
dim nOldLCID
strRet = str
If (nLCID > -1) Then
oldLCID = Session.LCID
End If
On Error Resume Next
If (nLCID > -1) Then
Session.LCID = nLCID
End If
If ((nLCID < 0) Or (Session.LCID = nLCID)) Then
strRet = FormatDateTime(str, nNamedFormat)
End If
If (nLCID > -1) Then
Session.LCID = oldLCID
End If
DoDateTime = strRet
End Function
</SCRIPT>
<HTML>
<HEAD>
<TITLE></TITLE>
<META http-equiv=Content-Type content="text/html; ch****t=iso-8859-1">
<META content="MSHTML 6.00.2800.1126" name=GENERATOR>
</HEAD>
<BODY bgcolor=#ffffff leftmargin=0 topmargin=0>
<TABLE cellspacing=0 cellpadding=0 width="100%" border=0>
<TBODY>
<TR valign="top">
<TD height="453">
<TABLE cellspacing=0 cellpadding=0 width="100%"
border=0>
<TBODY>
<TR>
<TD valign=middle colspan=3>
<TABLE width="740" border=0 align=left cellpadding=0 cellspacing=0>
<TBODY>
<TR>
<TD width="575" valign="top">
<TABLE width="100%" border=0 cellpadding=0 cellspacing=0>
<TBODY>
<TR>
<TD width="508" valign="top"><!-- ======================= form beginning ==========================
if request("id") = "error" then
vartext = "Wrong, please check and try again."
End If
%>
<form name="Login" method="post" action="index_t.asp?id=ver
<table border="0" align="center" cellpadding="0" cellspacing="0" bgcolor="#99CC66">
<tr>
<td height="18" colspan="2" valign="baseline" class="mainred"><%=vartext
</tr>
<tr>
<td height="32" colspan="2"><span
class=mainwht11><b><span class=mainblk><span
class=maindrkgrey><span class=mainwht11>Member Area:</span></span></span>
class=mainwht11><b><span class=mainblk></span></b><
</tr>
<tr>
<td width="106" class="mainwht">User Name</td>
<td width="140"><input class=mainblk maxlength=128
name=UserName size="20">
</td>
</tr>
<tr>
<td class="mainwht">Password</
<td width="140"><input class=mainblk type=password
maxlength=20 name=Password size="20">
</td>
</tr>
<tr>
<td class="mainwht">Pin</td>
<td width="140"><input class=mainblk type=password
maxlength=20 name=PinNumber size="20">
</td>
</tr>
<tr>
<td height="28"> </td>
<td width="140"> <input class=maindrkgrey type=submit value="Log In" name=submit>
</td>
</tr>
</table>
</form>
</TD>
</TR>
</TBODY>
</TABLE>
</TD>
</TR>
</TBODY>
</TABLE>
</TD>
<TD valign=top width=482> </TD>
<TD width=165> </TD>
</TR>
</TBODY>
</TABLE>
</TD>
</TR>
</TBODY>
</TABLE>
</BODY>
</HTML>
-----------------The Success Page
<%@LANGUAGE="VBSCRIPT"%>
<!--#include virtual="/Connections/what
<%
response.buffer = true
If request("id") = "verify" then
set dbConn = Server.CreateObject("ADODB
dbConn.ConnectionString = "DSN=theDSN"
dbConn.Open
set rs = Server.CreateObject("ADODB
SQL = "SELECT * FROM tblUsers WHERE UserName = '" & request("username") & "' AND Password = '" & request("Password") & "' AND PinNumber = '" & request("PinNumber") & "'"
set rs = dbConn.Execute(SQL)
If not rs.eof then
While not rs.EOF
group = rs("AccessGroup")
'response.write("group:" & group)
userid = rs("id")
'response.write("userid: " & userid)
rs.movenext
wend
If group = "Paid" then
session("Loggedin")=True
session("id")=userid
'redir = "admin~/index_t.asp
'response.write(redir)
'response.end
response.redirect("loggedi
ElseIf group = "NotPaid" then
session("oldloggedin")=Tru
session("id")=userid
'redir = "notavailable_cust.asp
'response.write(redir)
'response.end
response.redirect("notavai
End If
Else
'/////// redirect page if no match found in database///////
response.redirect("../sorr
End If
End If
%>
<%
set dbConn = Server.CreateObject("ADODB
dbConn.ConnectionString = "DSN=TheDSN"
dbConn.Open
if not session("Loggedin") then
response.redirect("../logg
End If
id=Session("id")
set rs= Server.CreateObject("ADODB
SQL = "SELECT * from tblUsers where id=" & id
set rs = dbConn.Execute(SQL)
While not rs.EOF
rs.movenext
wend
dbconn.close
%>
<%
Dim rsUsers__MMColParam
rsUsers__MMColParam = "1"
If (Request.QueryString("id")
rsUsers__MMColParam = Request.QueryString("id")
End If
%>
<%
Dim rsUsers
Dim rsUsers_numRows
Set rsUsers = Server.CreateObject("ADODB
rsUsers.ActiveConnection = MM_TheConnection_STRING
rsUsers.Source = "SELECT * FROM tblUsers WHERE id = " + Replace(rsUsers__MMColPara
rsUsers.CursorType = 0
rsUsers.CursorLocation = 2
rsUsers.LockType = 1
rsUsers.Open()
rsUsers_numRows = 0
%>
<SCRIPT RUNAT=SERVER LANGUAGE=VBSCRIPT>
function DoDateTime(str, nNamedFormat, nLCID)
dim strRet
dim nOldLCID
strRet = str
If (nLCID > -1) Then
oldLCID = Session.LCID
End If
On Error Resume Next
If (nLCID > -1) Then
Session.LCID = nLCID
End If
If ((nLCID < 0) Or (Session.LCID = nLCID)) Then
strRet = FormatDateTime(str, nNamedFormat)
End If
If (nLCID > -1) Then
Session.LCID = oldLCID
End If
DoDateTime = strRet
End Function
</SCRIPT>
<html>
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html; ch****t=iso-8859-1">
</head>
<body>
<%
Response.Write MM_updateStr
%>
<table width="68%" border="0" cellspacing="0" cellpadding="0" align="center">
<tr>
<td>
<table width="100%" cellspacing="0" cellpadding="0" class="mainblk">
<tr class="mainwht11">
<td colspan="9"> </td>
</tr>
</table>
</td>
</tr>
<tr>
<td valign="top" nowrap> <b class="mainblk11"> <img src="../images/spacer.gif"
welcome test</b></td>
</tr>
</table>
</body>
</html>
<%
rsUsers.Close()
Set rsUsers = Nothing
%>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Oh and I don't really want to use cookies.
ASKER
Guess I really don't have a choice. How does Experts Exchange do it?
TreyH can you put this code so it works, as you would use it so I can at least get it working (and see the code). :-)
Thanks for your help so far.
Cheers.
TreyH can you put this code so it works, as you would use it so I can at least get it working (and see the code). :-)
Thanks for your help so far.
Cheers.
Here is some "crude" code that might get you started. I use something similar, but I deal mainly with web database applications that total users at one time would be around 50. Using a couple of small session variables that are strings or numbers doesn't seem to impact performance much. It's when you start getting carried away with them such as storing large arrays, recordsets ect...
Also keep in mind that the end user must accept "Session Cookies" for session variables to work at all. Otherwise a new session id is assigned each time a page is hit.
Sorry for crudeness, didn't have much time and figured you were needing a quick answer.
<%@ LANGUAGE="VBSCRIPT" %>
<% OPTION EXPLICIT %>
<%
Dim action, username, password, hidden
action = Trim(Request.QueryString(" action") & "")
username = Trim(Request.Form("UserNam e") & "")
password = Trim(Request.form("Passwor d") & "")
hidden = Trim(Request.Form("Hidden" ) & "")
%>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>New Page </title>
</head>
<body>
<%If Session("Authenticated") <> "YES" And action = "" Then%>
<p>Use "test" for UserName and "test" for Password.</p>
<form method="POST" action="default.asp?action =login">
<p><input type="text" name="UserName" size="20"><input type="password" name="Password"
size="20"><input type="submit" value="Submit" name="B1"><input type="reset" value="Reset"
name="B2"></p>
</form>
<%
Else
Select Case action
Case "logoff"
Session("Authenticated") = ""
Session("Username") = ""
Response.write "You are now logged off." & "<br>UserName:" & username
Response.write "<p><a href=Default.asp>Back To Login Page</a></p>"
Case "login"
'Do your database lookup to match username and password here.
'For this simple example I simply used an If/Then
If username = "test" And password = "test" Then
Session("Authenticated") = "YES"
Session("Username") = username ''Or you can use your userid here
Response.write "You are now authenticated." & "<br>UserName:" & username & "<br>Session Name:" & Session("Username")
Response.write "<p><a href=Default.asp?action=lo goff>Log Off</a></p>"
Else
Session("Authenticated") = ""
Session("Username") = ""
Response.write "Login Failed For:" & "<br>UserName:" & username
Response.write "<p><a href=Default.asp>Back To Login Page</a></p>"
End If
End Select
%>
<%End If%>
</body>
</html>
Also keep in mind that the end user must accept "Session Cookies" for session variables to work at all. Otherwise a new session id is assigned each time a page is hit.
Sorry for crudeness, didn't have much time and figured you were needing a quick answer.
<%@ LANGUAGE="VBSCRIPT" %>
<% OPTION EXPLICIT %>
<%
Dim action, username, password, hidden
action = Trim(Request.QueryString("
username = Trim(Request.Form("UserNam
password = Trim(Request.form("Passwor
hidden = Trim(Request.Form("Hidden"
%>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>New Page </title>
</head>
<body>
<%If Session("Authenticated") <> "YES" And action = "" Then%>
<p>Use "test" for UserName and "test" for Password.</p>
<form method="POST" action="default.asp?action
<p><input type="text" name="UserName" size="20"><input type="password" name="Password"
size="20"><input type="submit" value="Submit" name="B1"><input type="reset" value="Reset"
name="B2"></p>
</form>
<%
Else
Select Case action
Case "logoff"
Session("Authenticated") = ""
Session("Username") = ""
Response.write "You are now logged off." & "<br>UserName:" & username
Response.write "<p><a href=Default.asp>Back To Login Page</a></p>"
Case "login"
'Do your database lookup to match username and password here.
'For this simple example I simply used an If/Then
If username = "test" And password = "test" Then
Session("Authenticated") = "YES"
Session("Username") = username ''Or you can use your userid here
Response.write "You are now authenticated." & "<br>UserName:" & username & "<br>Session Name:" & Session("Username")
Response.write "<p><a href=Default.asp?action=lo
Else
Session("Authenticated") = ""
Session("Username") = ""
Response.write "Login Failed For:" & "<br>UserName:" & username
Response.write "<p><a href=Default.asp>Back To Login Page</a></p>"
End If
End Select
%>
<%End If%>
</body>
</html>
ASKER
Hey, thanks Trey.
I'll give this a try.
Really appreciate you taking the time.
P.
I'll give this a try.
Really appreciate you taking the time.
P.
ASKER
Hey, thanks Trey.
I'll give this a try.
Really appreciate you taking the time.
P.
I'll give this a try.
Really appreciate you taking the time.
P.
ASKER
Thanks, I eventually came out of my coma and realised what I was doing wrong.
ASKER