Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 417
  • Last Modified:

I need a ServerVariables("HTTP_REFERER") login script

I have three asp pages:

Search.asp
Add_Topic.asp
Login.asp

On Search.asp, when you click the "AddTopic" button, you are taken to the Add_Topic.asp page.

At the top of the of the Add_Topic.asp page is a login-check that looks for the existence a session variable:

if Session("pass") <> "ok" then
response.redirect("login.asp")
else %>

Now Session("pass") is only written from the Login.asp page. So coming from Search.asp, there is no existance of the variable and so the browser is redirected to Login.asp.

Upon entering Login.asp, a new session variable captures the URL of the referring page, Add_Topic.asp, for later reference:

If (Request.Form("pass")) <> "yes" then
Session("lastpage") = Request.ServerVariables("HTTP_REFERER")

After self-posting, if Login.asp then receives the correct password (yes) it goes to the Else statement which writes:

Else  
Session("pass") = "ok"
Response.Redirect("" & Session("lastpage") & "")
End If

The idea is that the page should be redirected to Add_Topic.asp. Instead, it goes back to the Search.asp page.

How do I fix this?

0
teelions
Asked:
teelions
  • 6
  • 5
  • 3
  • +3
1 Solution
 
mberumenCommented:
You might want to try displaying http_referrer on each page to see which values are being posted.

Perhaps when you are posting Login.asp to itself with the username and password a value is being left out.


how about explicitly setting session("lastpage") in each of your pages? (except for login.asp)

session("lastpage")="Add_topic.asp"




0
 
newknewCommented:
In you code:

If (Request.Form("pass")) <> "yes" then
Session("lastpage") = Request.ServerVariables("HTTP_REFERER")

I think '<>' should be '='.  The way it is now, you are setting the redirect when the WRONG password is entered.

Therefore, when the CORRECT password is entered, your Else statement is executed.  The target has not been set so the redirect goes to the last set instance of session("lastpage") which must be "search.asp" from a previous login.

tim
0
 
teelionsAuthor Commented:
To the first responder;

OK. I did what you suggested. I added this to the top of the Login page:

Dim lastpage
lastpage = Request.ServerVariables("HTTP_REFERER")

Response.Write(lastpage)
Response.End

then I clicked the Add_Topic link from Search.asp. The result was that Search.asp WAS written to the page. But how can that be?

So I tested again. This time from Add_Topic.asp, I took away this part:

if Session("pass") <> "ok" then
response.redirect("login.asp")
else %>

then clicked the Add_Topic link from Search.asp. It went straight to Add_Topic.asp. This shows that the link goes to Add_Topic then is redirected to Login. Then isn't Add_Topic the referrer? By the way, did I spell "HTTP_REFERER" incorrectly?

I cannot explicitly set session("lastpage") because there will be other pages within this app that will be accessing Login.asp. For instance, (for authenticity purposes) if page "X" is redirected to Login.asp, you would be referred back to page "X". And if page "N" is redirected to Login.asp, you would be referred back to page "N". Am I using the wrong server variable for my purpose?
----------------------------------------------------------
To the second responder:

(Request.Form("pass") is the login form on Login.asp. But I tried what you said and replaced the top script with this:

If (Request.Form("pass")) = "resin" then
Dim lastpage
lastpage = Request.ServerVariables("HTTP_REFERRER")
Response.Redirect(lastpage)
Else
'write login form...

The page response was:
Response object error 'ASP 0158 : 80004005'
Missing URL
/Ref_Lib/login.asp, line 15
A URL is required.


0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
newknewCommented:
Well as long as this login page is posting to itself, I think there is going to be a problem... because ultimately the referrer is going to be the login page.

How about:

A) When we load the page.  Read the value of the Hidden form field (assigned below).  If it's empty then set it now.  - this will protect the redirect from getting re-written each time the login page loads.

strRedirectTarget = Request.Form("redirecttarget")
If strRedirectTarget = "" then
   strRedirectTarget = Request.ServerVariables("HTTP_REFERER")
End If

B) Begin the form as below.  I'm using "post" instead of "get" to protect the password and user name.  Using a hidden field to pass the redirect back to the page when it is re-loaded to check for correct password.

<form name="login_form" action="" method="post" >
   <input type="hidden" name="redirecttarget" value="<%=strRedirectTarget%>">

[put the rest of your form here]


C) Then change your code to read:

If (Request.Form("pass")) <> "yes" then
   Response.Write("You entered the wrong password")
Else  
   Session("pass") = "ok"
   Response.Redirect(strRedirectTarget)
End If

tim
0
 
newknewCommented:
Well as long as this login page is posting to itself, I think there is going to be a problem... because ultimately the referrer is going to be the login page.

How about:

A) When we load the page.  Read the value of the Hidden form field (assigned below).  If it's empty then set it now.  - this will protect the redirect from getting re-written each time the login page loads.

strRedirectTarget = Request.Form("redirecttarget")
If strRedirectTarget = "" then
   strRedirectTarget = Request.ServerVariables("HTTP_REFERER")
End If

B) Begin the form as below.  I'm using "post" instead of "get" to protect the password and user name.  Using a hidden field to pass the redirect back to the page when it is re-loaded to check for correct password.

<form name="login_form" action="" method="post" >
   <input type="hidden" name="redirecttarget" value="<%=strRedirectTarget%>">

[put the rest of your form here]


C) Then change your code to read:

If (Request.Form("pass")) <> "yes" then
   Response.Write("You entered the wrong password")
Else  
   Session("pass") = "ok"
   Response.Redirect(strRedirectTarget)
End If

tim
0
 
mberumenCommented:
I experience the same behaviour,  the "add_topic.asp" page is not recognized as the referrer when you use response.redirect.  I guess that since the page is not processed it doesn't populate the server variables.

I was also unable to populate the http_referrer variable through Javascript .

This DID NOT work either..

<SCRIPT>
<%if Session("pass") <> "ok" then

 response.write "window.location.href='logintest.asp?test=';"

end if%>
</SCRIPT>

Not sure if metatags would work either


0
 
newknewCommented:
teelions, in a quick test, the follow code worked for me:


<%
strRedirectTarget = Request.Form("redirecttarget")
If strRedirectTarget = "" then
  strRedirectTarget = Request.ServerVariables("HTTP_REFERER")
End If

%>
<form name="login_form" action="" method="post" >
  <input type="hidden" name="redirecttarget" value="<%=strRedirectTarget%>">
  Enter Password:
  <input type="password" name="pass" value="">
</form>

<%
If (Request.Form("pass")) <> "yes" then
   'nothing
Else  
  Session("pass") = "ok"
  Response.Redirect(strRedirectTarget)
End If
%>
0
 
apolloisCommented:
Hi teelions,

I would not use Session variables to track the last requested page.  Use URL QueryString variables instead.  Something like this:


**** AddTopic.asp ****  OR any other page that requires logon.

============================================================
if Session("pass") <> "ok" then

     '--- GET THE PATH OF THE CURRENT PAGE AND PASS TO LOGIN.ASP ---

     strURLRedirect = "login.asp?URL=" & Request.ServerVariables("PATH_INFO")
     response.redirect strURLRedirect

else %>
===========================================================


******** Login.asp ********

======================================
If (Request.Form("pass")) <> "yes" then

     'After self-posting, if Login.asp then receives the correct
     'password (yes) it goes to the Else statement which writes:

Else  
     Session("pass") = "ok"
     strURL = Request.QueryString("URL")
     Response.Redirect strURL
End If

======================================

Best Regards,
apollois
0
 
teelionsAuthor Commented:
I get this error msg with Response.Redirect strURL:

Response object error 'ASP 0158 : 80004005'
Missing URL
login.asp, line 54
A URL is required.

Is there no generic login script which will simply send back to the referer?
0
 
apolloisCommented:
teelions,
>>>I get this error msg with Response.Redirect strURL:

That means that the querystring is empty.  Please post your code for each page.

Best Regards,
apollois
0
 
iozturkCommented:
try
Response.Redirect(Session("lastpage"))
0
 
WakieCommented:
Hi teelions, you may also like to give this a shot:

<script language="javascript">
<!--
function goRefer(Dest)     {
     location = Dest + '?refer=' + location;
     }
//-->
</script>

<a href="javascript:goRefer('http://www.yourserver.com/yourscript.asp')">Home Page</a>

Then simply do this:

<%
Refer = Request.ServerVariables("HTTP_REFERER")
If len(Refer) = 0 Then
     Refer = Request.QueryString("Refer")
End If
Session("Refer") = Refer
%>

Regards,
Wakie.
0
 
teelionsAuthor Commented:
Here's the code:

SEARCH.ASP

<a href="Add_Topic.asp">Add Topic</a>
---------------------------------------------------
ADD_TOPIC.ASP

<%  
'check for login
if Session("pass") <> "ok" then
response.redirect("login.asp")
else %>

<HTML>
<BODY>

<form>...
<INPUT>
<SUBMIT>
</form>

</BODY>
</HTML>
--------------------------------------------------
LOGIN.ASP



<%
If (Request.Form("pass")) <> "yes" then
Session("lastpage")=Request.ServerVariables"HTTP_REFERER")
%>

<html>
<body>

<form method="post">
 <p>Password: <input type="password" name="pass" size="10"> <!-- value="yes"-->

            <p><input type="submit" value="Submit">
</form>
</body>
</html>
<%
ElseIf (Request.Form("pass")) <> "yes" then
Response.Write "<H2>HTTP Error 401</H2><P><STRONG>401.1 Unauthorized: Logon Failed</STRONG></P><P>This error indicates that the credentials passed to the server do not match the credentials required to log on to the server.</P>"
     
     Response.End

Else
Session("pass") = "ok"
Response.Redirect("" & Session("lastpage") & "")

  End If %>
0
 
teelionsAuthor Commented:
WOW! Did everybody give up already??
0
 
apolloisCommented:
teelions,

>>>WOW! Did everybody give up already??

Of course not! <bg>

Did you try the code I posted?
If you got any errors, or unexpected results, then output some debug info like:

Response.write "<BR>PathInfo: " & Request.ServerVariables("PATH_INFO") & "<BR>"

Output the data you are getting from the user and from the QueryString.
Post this data.

Best Regards,
>apollois<
0
 
newknewCommented:
HTTP_REFERER will not accurately read the referer when the navigation is a result of a redirect (my mistake :\).  It does, however, work correctly if the navigation is a result of the user clicking a link on the referer page.

The solution is to send the URL in the querystring (this is the way I do the login on my own site).  Teelions, I tested this code in two pages and it WORKS.  If it doesn't work for you then let me know exactly what the error or behavior is.

---------------------------------------------
add_topic.asp
--------------------------------------------
<%if Session("pass") <> "ok" then
     strRedirectTargetURL = Server.URLEncode(Request.ServerVariables("URL"))
     strRedirectTargetQueryString = Server.URLEncode(Request.ServerVariables("QUERY_STRING"))
     Response.Redirect("login.asp?RedirectTargetURL=" & strRedirectTargetURL & "&RedirectTargetQueryString=" & strRedirectTargetQuerystring)
else %>
We are already logged in.
<%end if%>

--------------------------------------------
login.asp
---------------------------------------------
<%
strRedirectTarget = Request.Form("redirecttarget")
If strRedirectTarget = "" then
     strRedirectTargetURL = Request.QueryString("RedirectTargetURL")
     strRedirectTargetQueryString = Request.QueryString("RedirectTargetQueryString")
End If
strFormAction = "login.asp?RedirectTargetURL=" & Server.URLEncode(strRedirectTargetURL) & "&RedirectTargetQueryString=" & Server.URLEncode(strRedirectTargetQuerystring)
%>

<form name="login_form" action="<%=strFormAction%>" method="post" >
     Enter Password:
     <input type="password" name="pass" value="">
</form>

<%
If (Request.Form("pass")) <> "yes" then
     'nothing
Else  
     Session("pass") = "ok"
     Response.Redirect(strRedirectTargetURL & "?" & strRedirectTargetQueryString)
End If
%>
0
 
newknewCommented:
Sorry, I left some remnants of some previous testing.  The code still works fine, but the top portion of login.asp should be re-worked to look like:

--------------------------------------------
login.asp
---------------------------------------------
<%
strRedirectTargetURL = Request.QueryString("RedirectTargetURL")
strRedirectTargetQueryString = Request.QueryString("RedirectTargetQueryString")
strFormAction = "login.asp?RedirectTargetURL=" & Server.URLEncode(strRedirectTargetURL) & "&RedirectTargetQueryString=" & Server.URLEncode(strRedirectTargetQuerystring)
%>

<form name="login_form" action="<%=strFormAction%>" method="post" >
     Enter Password:
     <input type="password" name="pass" value="">
</form>

<%
If (Request.Form("pass")) <> "yes" then
     'nothing
Else  
     Session("pass") = "ok"
     Response.Redirect(strRedirectTargetURL & "?" & strRedirectTargetQueryString)
End If
%>
0
 
teelionsAuthor Commented:
newknew YES! This works! Thanks very much for your help. Now I can go on with my project. Thanks for everyone that lent a hand.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 6
  • 5
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now