Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

login security problem

Posted on 2004-04-13
7
Medium Priority
?
207 Views
Last Modified: 2010-04-25
I've designed  login.asp page in dreamweaver MX .
In order to gain access to any administrating
sections, you will need to enter a username and a password.Default is set to "demo" for both through MS access 2000 table called "admin".
any entries except "demo" redirect to failed_login.asp page.
very nice!!

My headache is begun when enter:
username: 'or'
password : 'or'
and unbelievable the administrating pages could be accessed.so many changes in authentication procedure not progress.
Any suggestion
Nikou
0
Comment
Question by:nikou
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
7 Comments
 
LVL 8

Expert Comment

by:CoolATIGuy
ID: 10818880
What is your code for checking the username and password, and redirecting on fail? (please post here, without sensitive data)


CoolATIGuy
0
 

Author Comment

by:nikou
ID: 10819433
<%@LANGUAGE="VBSCRIPT"%>
<!--#include file="../config/config.asp" -->
<%
If cstr(Request.Form("username"))<>"" Then
  If Request.form("checkbox") ="1" Then
     Response.Cookies("username") = Request.Form("username")
     Response.Cookies("password") = Request.Form("password")
     Response.Cookies("admin") = "1"
     Response.Cookies("username").expires = Date + 30
     Response.Cookies("password").expires = Date + 30
     Response.Cookies("admin").expires = Date + 30
  Else
     Response.Cookies("admin") = "" 
     Response.Cookies("username") = "" 
     Response.Cookies("password") = ""     
  End If
End If
%>
<%
' *** Validate request to log in to this site.
MM_LoginAction = Request.ServerVariables("URL")
If Request.QueryString<>"" Then MM_LoginAction = MM_LoginAction + "?" + Request.QueryString
MM_valUsername=CStr(Request.Form("username"))
If MM_valUsername <> "" Then
  MM_fldUserAuthorization="acclev"
  MM_redirectLoginSuccess="admin.asp?login=yes"
  MM_redirectLoginFailed="loginfail.asp"
  MM_flag="ADODB.Recordset"
  set MM_rsUser = Server.CreateObject(MM_flag)
  MM_rsUser.ActiveConnection = MM_photoalbum_STRING
  MM_rsUser.Source = "SELECT username, password"
  If MM_fldUserAuthorization <> "" Then MM_rsUser.Source = MM_rsUser.Source & "," & MM_fldUserAuthorization
  MM_rsUser.Source = MM_rsUser.Source & " FROM users WHERE username='" & MM_valUsername &"' AND password='" & CStr(Request.Form("password")) & "'"
  MM_rsUser.CursorType = 0
  MM_rsUser.CursorLocation = 2
  MM_rsUser.LockType = 3
  MM_rsUser.Open
  If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then
    ' username and password match - this is a valid user
    Session("MM_Username") = MM_valUsername
    If (MM_fldUserAuthorization <> "") Then
      Session("MM_UserAuthorization") = CStr(MM_rsUser.Fields.Item(MM_fldUserAuthorization).Value)
    Else
      Session("MM_UserAuthorization") = ""
    End If
    if CStr(Request.QueryString("accessdenied")) <> "" And true Then
      MM_redirectLoginSuccess = Request.QueryString("accessdenied")
    End If
    MM_rsUser.Close
    Response.Redirect(MM_redirectLoginSuccess)
  End If
  MM_rsUser.Close
  Response.Redirect(MM_redirectLoginFailed)
End If
%>
<html>
<head>
<title>Login </title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link rel="stylesheet" href="../includepages/style.css" type="text/css">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
  <tr>
    <td>
      <!--#include file="../includepages/inc_admin_top.asp" -->
    </td>
  </tr>
  <tr>
    <td>
      <p class="headerred"> <br><br><br><br><br>
                <% If Request.Querystring ("reason") = "no" then %>
         please enter your username and password below:  
          <form name="form1" method="post" action="<%=MM_LoginAction%>">
        <table width="100%" border="0" cellspacing="0" cellpadding="0">
          <!--DWLayoutTable-->
          <tr>
            <td width="250" height="20">&nbsp;</td>
            <td width="28">&nbsp;</td>
            <td width="69" class="text">Username:</td>
            <td width="406"> <input value="<%= Request.Cookies("username") %>" type="text" name="username" size="20">
            </td>
          </tr>
          <tr>
            <td height="20">&nbsp;</td>
            <td>&nbsp;</td>
            <td class="text">Password:</td>
            <td> <input value="<%= Request.Cookies("Password") %>" type="password" name="Password" size="20">
            </td>
          </tr>
          <tr>
            <td height="19">&nbsp;</td>
            <td colspan="2" align="right" valign="top"  class="text">Remember
              Me:</td>
            <td valign="top"> <input <%If (Request.Cookies("admin") = "1") Then Response.Write("CHECKED") : Response.Write("")%> type="checkbox" name="checkbox" value="1">
            </td>
            </tr>
          <tr>
            <td height="23" colspan="4"> <div align="center">
                <input type="submit" name="Submit" value="Submit">
              </div></td>
          </tr>
        </table>
      </form>
      <p class="headerred">&nbsp;</p>
      <p>&nbsp;</p>
    </td>
  </tr>
  <tr>
    <td>
            <!--#include file="../includepages/inc_admin_bottom.asp" -->
    </td>
  </tr>
</table>
</body>
</html>
0
 
LVL 8

Expert Comment

by:CoolATIGuy
ID: 10820358
I'm afraid I don't see anything at first glance - anybody got any ideas?


CoolATIGuy
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

 

Author Comment

by:nikou
ID: 10820782
I found  what was that problem.
I opened the login.asp page in dreamweaver,select binding in application to select recordset.
changed username and password filter from default "none" to username and password.
the login security fixed.
0
 
LVL 8

Expert Comment

by:CoolATIGuy
ID: 10827015
Great!

<phrase type="suggestion">

suggest close question

</phrase>




CoolATIGuy
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 11535529
PAQed, with points refunded (125)

Computer101
E-E Admin
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For those who don't know, Adobe Dreamweaver is a popular commercial web editor that enables you to design, build and manage complex websites. The editor is a WYSIWYG (What You See Is What You Get) web editor, which means that you can create your web…
I still run into .cgi files every now and then. In some instances, I actually prefer the simplicity of a .cgi script to other options. Since I use DreamWeaver extensively, what I needed was a way to open .cgi scripts in Dreamweaver. And I wanted to …
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question