?
Solved

I need a ServerVariables("HTTP_REFERER")  login script

Posted on 2003-03-10
18
Medium Priority
?
410 Views
Last Modified: 2007-12-19
I have three asp pages:

Search.asp
Add_Topic.asp
Login.asp

On Search.asp, when you click the "AddTopic" button, you are taken to the Add_Topic.asp page.

At the top of the of the Add_Topic.asp page is a login-check that looks for the existence a session variable:

if Session("pass") <> "ok" then
response.redirect("login.asp")
else %>

Now Session("pass") is only written from the Login.asp page. So coming from Search.asp, there is no existance of the variable and so the browser is redirected to Login.asp.

Upon entering Login.asp, a new session variable captures the URL of the referring page, Add_Topic.asp, for later reference:

If (Request.Form("pass")) <> "yes" then
Session("lastpage") = Request.ServerVariables("HTTP_REFERER")

After self-posting, if Login.asp then receives the correct password (yes) it goes to the Else statement which writes:

Else  
Session("pass") = "ok"
Response.Redirect("" & Session("lastpage") & "")
End If

The idea is that the page should be redirected to Add_Topic.asp. Instead, it goes back to the Search.asp page.

How do I fix this?

0
Comment
Question by:teelions
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 3
  • +3
18 Comments
 
LVL 4

Expert Comment

by:mberumen
ID: 8105468
You might want to try displaying http_referrer on each page to see which values are being posted.

Perhaps when you are posting Login.asp to itself with the username and password a value is being left out.


how about explicitly setting session("lastpage") in each of your pages? (except for login.asp)

session("lastpage")="Add_topic.asp"




0
 
LVL 1

Expert Comment

by:newknew
ID: 8105619
In you code:

If (Request.Form("pass")) <> "yes" then
Session("lastpage") = Request.ServerVariables("HTTP_REFERER")

I think '<>' should be '='.  The way it is now, you are setting the redirect when the WRONG password is entered.

Therefore, when the CORRECT password is entered, your Else statement is executed.  The target has not been set so the redirect goes to the last set instance of session("lastpage") which must be "search.asp" from a previous login.

tim
0
 

Author Comment

by:teelions
ID: 8105808
To the first responder;

OK. I did what you suggested. I added this to the top of the Login page:

Dim lastpage
lastpage = Request.ServerVariables("HTTP_REFERER")

Response.Write(lastpage)
Response.End

then I clicked the Add_Topic link from Search.asp. The result was that Search.asp WAS written to the page. But how can that be?

So I tested again. This time from Add_Topic.asp, I took away this part:

if Session("pass") <> "ok" then
response.redirect("login.asp")
else %>

then clicked the Add_Topic link from Search.asp. It went straight to Add_Topic.asp. This shows that the link goes to Add_Topic then is redirected to Login. Then isn't Add_Topic the referrer? By the way, did I spell "HTTP_REFERER" incorrectly?

I cannot explicitly set session("lastpage") because there will be other pages within this app that will be accessing Login.asp. For instance, (for authenticity purposes) if page "X" is redirected to Login.asp, you would be referred back to page "X". And if page "N" is redirected to Login.asp, you would be referred back to page "N". Am I using the wrong server variable for my purpose?
----------------------------------------------------------
To the second responder:

(Request.Form("pass") is the login form on Login.asp. But I tried what you said and replaced the top script with this:

If (Request.Form("pass")) = "resin" then
Dim lastpage
lastpage = Request.ServerVariables("HTTP_REFERRER")
Response.Redirect(lastpage)
Else
'write login form...

The page response was:
Response object error 'ASP 0158 : 80004005'
Missing URL
/Ref_Lib/login.asp, line 15
A URL is required.


0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 1

Expert Comment

by:newknew
ID: 8105911
Well as long as this login page is posting to itself, I think there is going to be a problem... because ultimately the referrer is going to be the login page.

How about:

A) When we load the page.  Read the value of the Hidden form field (assigned below).  If it's empty then set it now.  - this will protect the redirect from getting re-written each time the login page loads.

strRedirectTarget = Request.Form("redirecttarget")
If strRedirectTarget = "" then
   strRedirectTarget = Request.ServerVariables("HTTP_REFERER")
End If

B) Begin the form as below.  I'm using "post" instead of "get" to protect the password and user name.  Using a hidden field to pass the redirect back to the page when it is re-loaded to check for correct password.

<form name="login_form" action="" method="post" >
   <input type="hidden" name="redirecttarget" value="<%=strRedirectTarget%>">

[put the rest of your form here]


C) Then change your code to read:

If (Request.Form("pass")) <> "yes" then
   Response.Write("You entered the wrong password")
Else  
   Session("pass") = "ok"
   Response.Redirect(strRedirectTarget)
End If

tim
0
 
LVL 1

Expert Comment

by:newknew
ID: 8106084
Well as long as this login page is posting to itself, I think there is going to be a problem... because ultimately the referrer is going to be the login page.

How about:

A) When we load the page.  Read the value of the Hidden form field (assigned below).  If it's empty then set it now.  - this will protect the redirect from getting re-written each time the login page loads.

strRedirectTarget = Request.Form("redirecttarget")
If strRedirectTarget = "" then
   strRedirectTarget = Request.ServerVariables("HTTP_REFERER")
End If

B) Begin the form as below.  I'm using "post" instead of "get" to protect the password and user name.  Using a hidden field to pass the redirect back to the page when it is re-loaded to check for correct password.

<form name="login_form" action="" method="post" >
   <input type="hidden" name="redirecttarget" value="<%=strRedirectTarget%>">

[put the rest of your form here]


C) Then change your code to read:

If (Request.Form("pass")) <> "yes" then
   Response.Write("You entered the wrong password")
Else  
   Session("pass") = "ok"
   Response.Redirect(strRedirectTarget)
End If

tim
0
 
LVL 4

Expert Comment

by:mberumen
ID: 8106117
I experience the same behaviour,  the "add_topic.asp" page is not recognized as the referrer when you use response.redirect.  I guess that since the page is not processed it doesn't populate the server variables.

I was also unable to populate the http_referrer variable through Javascript .

This DID NOT work either..

<SCRIPT>
<%if Session("pass") <> "ok" then

 response.write "window.location.href='logintest.asp?test=';"

end if%>
</SCRIPT>

Not sure if metatags would work either


0
 
LVL 1

Expert Comment

by:newknew
ID: 8106178
teelions, in a quick test, the follow code worked for me:


<%
strRedirectTarget = Request.Form("redirecttarget")
If strRedirectTarget = "" then
  strRedirectTarget = Request.ServerVariables("HTTP_REFERER")
End If

%>
<form name="login_form" action="" method="post" >
  <input type="hidden" name="redirecttarget" value="<%=strRedirectTarget%>">
  Enter Password:
  <input type="password" name="pass" value="">
</form>

<%
If (Request.Form("pass")) <> "yes" then
   'nothing
Else  
  Session("pass") = "ok"
  Response.Redirect(strRedirectTarget)
End If
%>
0
 
LVL 10

Expert Comment

by:apollois
ID: 8106414
Hi teelions,

I would not use Session variables to track the last requested page.  Use URL QueryString variables instead.  Something like this:


**** AddTopic.asp ****  OR any other page that requires logon.

============================================================
if Session("pass") <> "ok" then

     '--- GET THE PATH OF THE CURRENT PAGE AND PASS TO LOGIN.ASP ---

     strURLRedirect = "login.asp?URL=" & Request.ServerVariables("PATH_INFO")
     response.redirect strURLRedirect

else %>
===========================================================


******** Login.asp ********

======================================
If (Request.Form("pass")) <> "yes" then

     'After self-posting, if Login.asp then receives the correct
     'password (yes) it goes to the Else statement which writes:

Else  
     Session("pass") = "ok"
     strURL = Request.QueryString("URL")
     Response.Redirect strURL
End If

======================================

Best Regards,
apollois
0
 

Author Comment

by:teelions
ID: 8106717
I get this error msg with Response.Redirect strURL:

Response object error 'ASP 0158 : 80004005'
Missing URL
login.asp, line 54
A URL is required.

Is there no generic login script which will simply send back to the referer?
0
 
LVL 10

Expert Comment

by:apollois
ID: 8106737
teelions,
>>>I get this error msg with Response.Redirect strURL:

That means that the querystring is empty.  Please post your code for each page.

Best Regards,
apollois
0
 
LVL 4

Expert Comment

by:iozturk
ID: 8106979
try
Response.Redirect(Session("lastpage"))
0
 
LVL 4

Expert Comment

by:Wakie
ID: 8108617
Hi teelions, you may also like to give this a shot:

<script language="javascript">
<!--
function goRefer(Dest)     {
     location = Dest + '?refer=' + location;
     }
//-->
</script>

<a href="javascript:goRefer('http://www.yourserver.com/yourscript.asp')">Home Page</a>

Then simply do this:

<%
Refer = Request.ServerVariables("HTTP_REFERER")
If len(Refer) = 0 Then
     Refer = Request.QueryString("Refer")
End If
Session("Refer") = Refer
%>

Regards,
Wakie.
0
 

Author Comment

by:teelions
ID: 8112415
Here's the code:

SEARCH.ASP

<a href="Add_Topic.asp">Add Topic</a>
---------------------------------------------------
ADD_TOPIC.ASP

<%  
'check for login
if Session("pass") <> "ok" then
response.redirect("login.asp")
else %>

<HTML>
<BODY>

<form>...
<INPUT>
<SUBMIT>
</form>

</BODY>
</HTML>
--------------------------------------------------
LOGIN.ASP



<%
If (Request.Form("pass")) <> "yes" then
Session("lastpage")=Request.ServerVariables"HTTP_REFERER")
%>

<html>
<body>

<form method="post">
 <p>Password: <input type="password" name="pass" size="10"> <!-- value="yes"-->

            <p><input type="submit" value="Submit">
</form>
</body>
</html>
<%
ElseIf (Request.Form("pass")) <> "yes" then
Response.Write "<H2>HTTP Error 401</H2><P><STRONG>401.1 Unauthorized: Logon Failed</STRONG></P><P>This error indicates that the credentials passed to the server do not match the credentials required to log on to the server.</P>"
     
     Response.End

Else
Session("pass") = "ok"
Response.Redirect("" & Session("lastpage") & "")

  End If %>
0
 

Author Comment

by:teelions
ID: 8114047
WOW! Did everybody give up already??
0
 
LVL 10

Expert Comment

by:apollois
ID: 8114110
teelions,

>>>WOW! Did everybody give up already??

Of course not! <bg>

Did you try the code I posted?
If you got any errors, or unexpected results, then output some debug info like:

Response.write "<BR>PathInfo: " & Request.ServerVariables("PATH_INFO") & "<BR>"

Output the data you are getting from the user and from the QueryString.
Post this data.

Best Regards,
>apollois<
0
 
LVL 1

Accepted Solution

by:
newknew earned 1000 total points
ID: 8114638
HTTP_REFERER will not accurately read the referer when the navigation is a result of a redirect (my mistake :\).  It does, however, work correctly if the navigation is a result of the user clicking a link on the referer page.

The solution is to send the URL in the querystring (this is the way I do the login on my own site).  Teelions, I tested this code in two pages and it WORKS.  If it doesn't work for you then let me know exactly what the error or behavior is.

---------------------------------------------
add_topic.asp
--------------------------------------------
<%if Session("pass") <> "ok" then
     strRedirectTargetURL = Server.URLEncode(Request.ServerVariables("URL"))
     strRedirectTargetQueryString = Server.URLEncode(Request.ServerVariables("QUERY_STRING"))
     Response.Redirect("login.asp?RedirectTargetURL=" & strRedirectTargetURL & "&RedirectTargetQueryString=" & strRedirectTargetQuerystring)
else %>
We are already logged in.
<%end if%>

--------------------------------------------
login.asp
---------------------------------------------
<%
strRedirectTarget = Request.Form("redirecttarget")
If strRedirectTarget = "" then
     strRedirectTargetURL = Request.QueryString("RedirectTargetURL")
     strRedirectTargetQueryString = Request.QueryString("RedirectTargetQueryString")
End If
strFormAction = "login.asp?RedirectTargetURL=" & Server.URLEncode(strRedirectTargetURL) & "&RedirectTargetQueryString=" & Server.URLEncode(strRedirectTargetQuerystring)
%>

<form name="login_form" action="<%=strFormAction%>" method="post" >
     Enter Password:
     <input type="password" name="pass" value="">
</form>

<%
If (Request.Form("pass")) <> "yes" then
     'nothing
Else  
     Session("pass") = "ok"
     Response.Redirect(strRedirectTargetURL & "?" & strRedirectTargetQueryString)
End If
%>
0
 
LVL 1

Expert Comment

by:newknew
ID: 8114681
Sorry, I left some remnants of some previous testing.  The code still works fine, but the top portion of login.asp should be re-worked to look like:

--------------------------------------------
login.asp
---------------------------------------------
<%
strRedirectTargetURL = Request.QueryString("RedirectTargetURL")
strRedirectTargetQueryString = Request.QueryString("RedirectTargetQueryString")
strFormAction = "login.asp?RedirectTargetURL=" & Server.URLEncode(strRedirectTargetURL) & "&RedirectTargetQueryString=" & Server.URLEncode(strRedirectTargetQuerystring)
%>

<form name="login_form" action="<%=strFormAction%>" method="post" >
     Enter Password:
     <input type="password" name="pass" value="">
</form>

<%
If (Request.Form("pass")) <> "yes" then
     'nothing
Else  
     Session("pass") = "ok"
     Response.Redirect(strRedirectTargetURL & "?" & strRedirectTargetQueryString)
End If
%>
0
 

Author Comment

by:teelions
ID: 8115156
newknew YES! This works! Thanks very much for your help. Now I can go on with my project. Thanks for everyone that lent a hand.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently decide that I needed a way to make my pages scream on the net.   While searching around how I can accomplish this I stumbled across a great article that stated "minimize the server requests." I got to thinking, hey, I use more than one…
I would like to start this tip/trick by saying Thank You, to all who said that this could not be done, as it forced me to make sure that it could be accomplished. :) To start, I want to make sure everyone understands the importance of utilizing p…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question