Solved

login security problem

Posted on 2004-04-13
7
202 Views
Last Modified: 2010-04-25
I've designed  login.asp page in dreamweaver MX .
In order to gain access to any administrating
sections, you will need to enter a username and a password.Default is set to "demo" for both through MS access 2000 table called "admin".
any entries except "demo" redirect to failed_login.asp page.
very nice!!

My headache is begun when enter:
username: 'or'
password : 'or'
and unbelievable the administrating pages could be accessed.so many changes in authentication procedure not progress.
Any suggestion
Nikou
0
Comment
Question by:nikou
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
7 Comments
 
LVL 8

Expert Comment

by:CoolATIGuy
ID: 10818880
What is your code for checking the username and password, and redirecting on fail? (please post here, without sensitive data)


CoolATIGuy
0
 

Author Comment

by:nikou
ID: 10819433
<%@LANGUAGE="VBSCRIPT"%>
<!--#include file="../config/config.asp" -->
<%
If cstr(Request.Form("username"))<>"" Then
  If Request.form("checkbox") ="1" Then
     Response.Cookies("username") = Request.Form("username")
     Response.Cookies("password") = Request.Form("password")
     Response.Cookies("admin") = "1"
     Response.Cookies("username").expires = Date + 30
     Response.Cookies("password").expires = Date + 30
     Response.Cookies("admin").expires = Date + 30
  Else
     Response.Cookies("admin") = "" 
     Response.Cookies("username") = "" 
     Response.Cookies("password") = ""     
  End If
End If
%>
<%
' *** Validate request to log in to this site.
MM_LoginAction = Request.ServerVariables("URL")
If Request.QueryString<>"" Then MM_LoginAction = MM_LoginAction + "?" + Request.QueryString
MM_valUsername=CStr(Request.Form("username"))
If MM_valUsername <> "" Then
  MM_fldUserAuthorization="acclev"
  MM_redirectLoginSuccess="admin.asp?login=yes"
  MM_redirectLoginFailed="loginfail.asp"
  MM_flag="ADODB.Recordset"
  set MM_rsUser = Server.CreateObject(MM_flag)
  MM_rsUser.ActiveConnection = MM_photoalbum_STRING
  MM_rsUser.Source = "SELECT username, password"
  If MM_fldUserAuthorization <> "" Then MM_rsUser.Source = MM_rsUser.Source & "," & MM_fldUserAuthorization
  MM_rsUser.Source = MM_rsUser.Source & " FROM users WHERE username='" & MM_valUsername &"' AND password='" & CStr(Request.Form("password")) & "'"
  MM_rsUser.CursorType = 0
  MM_rsUser.CursorLocation = 2
  MM_rsUser.LockType = 3
  MM_rsUser.Open
  If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then
    ' username and password match - this is a valid user
    Session("MM_Username") = MM_valUsername
    If (MM_fldUserAuthorization <> "") Then
      Session("MM_UserAuthorization") = CStr(MM_rsUser.Fields.Item(MM_fldUserAuthorization).Value)
    Else
      Session("MM_UserAuthorization") = ""
    End If
    if CStr(Request.QueryString("accessdenied")) <> "" And true Then
      MM_redirectLoginSuccess = Request.QueryString("accessdenied")
    End If
    MM_rsUser.Close
    Response.Redirect(MM_redirectLoginSuccess)
  End If
  MM_rsUser.Close
  Response.Redirect(MM_redirectLoginFailed)
End If
%>
<html>
<head>
<title>Login </title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link rel="stylesheet" href="../includepages/style.css" type="text/css">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
  <tr>
    <td>
      <!--#include file="../includepages/inc_admin_top.asp" -->
    </td>
  </tr>
  <tr>
    <td>
      <p class="headerred"> <br><br><br><br><br>
                <% If Request.Querystring ("reason") = "no" then %>
         please enter your username and password below:  
          <form name="form1" method="post" action="<%=MM_LoginAction%>">
        <table width="100%" border="0" cellspacing="0" cellpadding="0">
          <!--DWLayoutTable-->
          <tr>
            <td width="250" height="20">&nbsp;</td>
            <td width="28">&nbsp;</td>
            <td width="69" class="text">Username:</td>
            <td width="406"> <input value="<%= Request.Cookies("username") %>" type="text" name="username" size="20">
            </td>
          </tr>
          <tr>
            <td height="20">&nbsp;</td>
            <td>&nbsp;</td>
            <td class="text">Password:</td>
            <td> <input value="<%= Request.Cookies("Password") %>" type="password" name="Password" size="20">
            </td>
          </tr>
          <tr>
            <td height="19">&nbsp;</td>
            <td colspan="2" align="right" valign="top"  class="text">Remember
              Me:</td>
            <td valign="top"> <input <%If (Request.Cookies("admin") = "1") Then Response.Write("CHECKED") : Response.Write("")%> type="checkbox" name="checkbox" value="1">
            </td>
            </tr>
          <tr>
            <td height="23" colspan="4"> <div align="center">
                <input type="submit" name="Submit" value="Submit">
              </div></td>
          </tr>
        </table>
      </form>
      <p class="headerred">&nbsp;</p>
      <p>&nbsp;</p>
    </td>
  </tr>
  <tr>
    <td>
            <!--#include file="../includepages/inc_admin_bottom.asp" -->
    </td>
  </tr>
</table>
</body>
</html>
0
 
LVL 8

Expert Comment

by:CoolATIGuy
ID: 10820358
I'm afraid I don't see anything at first glance - anybody got any ideas?


CoolATIGuy
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 

Author Comment

by:nikou
ID: 10820782
I found  what was that problem.
I opened the login.asp page in dreamweaver,select binding in application to select recordset.
changed username and password filter from default "none" to username and password.
the login security fixed.
0
 
LVL 8

Expert Comment

by:CoolATIGuy
ID: 10827015
Great!

<phrase type="suggestion">

suggest close question

</phrase>




CoolATIGuy
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 11535529
PAQed, with points refunded (125)

Computer101
E-E Admin
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For those who don't know, Adobe Dreamweaver is a popular commercial web editor that enables you to design, build and manage complex websites. The editor is a WYSIWYG (What You See Is What You Get) web editor, which means that you can create your web…
This article is very specific and is only intended to help if you are installing Dreamweaver 8 in a Windows 7 environment with Office 2007 installed.   I'm not sure why Microsoft tends to release OS' that should not be released but they do.  Windows…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question