nikou
asked on
login security problem
I've designed login.asp page in dreamweaver MX .
In order to gain access to any administrating
sections, you will need to enter a username and a password.Default is set to "demo" for both through MS access 2000 table called "admin".
any entries except "demo" redirect to failed_login.asp page.
very nice!!
My headache is begun when enter:
username: 'or'
password : 'or'
and unbelievable the administrating pages could be accessed.so many changes in authentication procedure not progress.
Any suggestion
Nikou
In order to gain access to any administrating
sections, you will need to enter a username and a password.Default is set to "demo" for both through MS access 2000 table called "admin".
any entries except "demo" redirect to failed_login.asp page.
very nice!!
My headache is begun when enter:
username: 'or'
password : 'or'
and unbelievable the administrating pages could be accessed.so many changes in authentication procedure not progress.
Any suggestion
Nikou
ASKER
<%@LANGUAGE="VBSCRIPT"%>
<!--#include file="../config/config.asp " -->
<%
If cstr(Request.Form("usernam e"))<>"" Then
If Request.form("checkbox") ="1" Then
Response.Cookies("username ") = Request.Form("username")
Response.Cookies("password ") = Request.Form("password")
Response.Cookies("admin") = "1"
Response.Cookies("username ").expires = Date + 30
Response.Cookies("password ").expires = Date + 30
Response.Cookies("admin"). expires = Date + 30
Else
Response.Cookies("admin") = ""
Response.Cookies("username ") = ""
Response.Cookies("password ") = ""
End If
End If
%>
<%
' *** Validate request to log in to this site.
MM_LoginAction = Request.ServerVariables("U RL")
If Request.QueryString<>"" Then MM_LoginAction = MM_LoginAction + "?" + Request.QueryString
MM_valUsername=CStr(Reques t.Form("us ername"))
If MM_valUsername <> "" Then
MM_fldUserAuthorization="a cclev"
MM_redirectLoginSuccess="a dmin.asp?l ogin=yes"
MM_redirectLoginFailed="lo ginfail.as p"
MM_flag="ADODB.Recordset"
set MM_rsUser = Server.CreateObject(MM_fla g)
MM_rsUser.ActiveConnection = MM_photoalbum_STRING
MM_rsUser.Source = "SELECT username, password"
If MM_fldUserAuthorization <> "" Then MM_rsUser.Source = MM_rsUser.Source & "," & MM_fldUserAuthorization
MM_rsUser.Source = MM_rsUser.Source & " FROM users WHERE username='" & MM_valUsername &"' AND password='" & CStr(Request.Form("passwor d")) & "'"
MM_rsUser.CursorType = 0
MM_rsUser.CursorLocation = 2
MM_rsUser.LockType = 3
MM_rsUser.Open
If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then
' username and password match - this is a valid user
Session("MM_Username") = MM_valUsername
If (MM_fldUserAuthorization <> "") Then
Session("MM_UserAuthorizat ion") = CStr(MM_rsUser.Fields.Item (MM_fldUse rAuthoriza tion).Valu e)
Else
Session("MM_UserAuthorizat ion") = ""
End If
if CStr(Request.QueryString(" accessdeni ed")) <> "" And true Then
MM_redirectLoginSuccess = Request.QueryString("acces sdenied")
End If
MM_rsUser.Close
Response.Redirect(MM_redir ectLoginSu ccess)
End If
MM_rsUser.Close
Response.Redirect(MM_redir ectLoginFa iled)
End If
%>
<html>
<head>
<title>Login </title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link rel="stylesheet" href="../includepages/styl e.css" type="text/css">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td>
<!--#include file="../includepages/inc_ admin_top. asp" -->
</td>
</tr>
<tr>
<td>
<p class="headerred"> <br><br><br><br><br>
<% If Request.Querystring ("reason") = "no" then %>
please enter your username and password below:
<form name="form1" method="post" action="<%=MM_LoginAction% >">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<!--DWLayoutTable-->
<tr>
<td width="250" height="20"> </td>
<td width="28"> </td>
<td width="69" class="text">Username:</td >
<td width="406"> <input value="<%= Request.Cookies("username" ) %>" type="text" name="username" size="20">
</td>
</tr>
<tr>
<td height="20"> </td>
<td> </td>
<td class="text">Password:</td >
<td> <input value="<%= Request.Cookies("Password" ) %>" type="password" name="Password" size="20">
</td>
</tr>
<tr>
<td height="19"> </td>
<td colspan="2" align="right" valign="top" class="text">Remember
Me:</td>
<td valign="top"> <input <%If (Request.Cookies("admin") = "1") Then Response.Write("CHECKED") : Response.Write("")%> type="checkbox" name="checkbox" value="1">
</td>
</tr>
<tr>
<td height="23" colspan="4"> <div align="center">
<input type="submit" name="Submit" value="Submit">
</div></td>
</tr>
</table>
</form>
<p class="headerred"> </ p>
<p> </p>
</td>
</tr>
<tr>
<td>
<!--#include file="../includepages/inc_ admin_bott om.asp" -->
</td>
</tr>
</table>
</body>
</html>
<!--#include file="../config/config.asp
<%
If cstr(Request.Form("usernam
If Request.form("checkbox") ="1" Then
Response.Cookies("username
Response.Cookies("password
Response.Cookies("admin") = "1"
Response.Cookies("username
Response.Cookies("password
Response.Cookies("admin").
Else
Response.Cookies("admin") = ""
Response.Cookies("username
Response.Cookies("password
End If
End If
%>
<%
' *** Validate request to log in to this site.
MM_LoginAction = Request.ServerVariables("U
If Request.QueryString<>"" Then MM_LoginAction = MM_LoginAction + "?" + Request.QueryString
MM_valUsername=CStr(Reques
If MM_valUsername <> "" Then
MM_fldUserAuthorization="a
MM_redirectLoginSuccess="a
MM_redirectLoginFailed="lo
MM_flag="ADODB.Recordset"
set MM_rsUser = Server.CreateObject(MM_fla
MM_rsUser.ActiveConnection
MM_rsUser.Source = "SELECT username, password"
If MM_fldUserAuthorization <> "" Then MM_rsUser.Source = MM_rsUser.Source & "," & MM_fldUserAuthorization
MM_rsUser.Source = MM_rsUser.Source & " FROM users WHERE username='" & MM_valUsername &"' AND password='" & CStr(Request.Form("passwor
MM_rsUser.CursorType = 0
MM_rsUser.CursorLocation = 2
MM_rsUser.LockType = 3
MM_rsUser.Open
If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then
' username and password match - this is a valid user
Session("MM_Username") = MM_valUsername
If (MM_fldUserAuthorization <> "") Then
Session("MM_UserAuthorizat
Else
Session("MM_UserAuthorizat
End If
if CStr(Request.QueryString("
MM_redirectLoginSuccess = Request.QueryString("acces
End If
MM_rsUser.Close
Response.Redirect(MM_redir
End If
MM_rsUser.Close
Response.Redirect(MM_redir
End If
%>
<html>
<head>
<title>Login </title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link rel="stylesheet" href="../includepages/styl
</head>
<body bgcolor="#FFFFFF" text="#000000">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td>
<!--#include file="../includepages/inc_
</td>
</tr>
<tr>
<td>
<p class="headerred"> <br><br><br><br><br>
<% If Request.Querystring ("reason") = "no" then %>
please enter your username and password below:
<form name="form1" method="post" action="<%=MM_LoginAction%
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<!--DWLayoutTable-->
<tr>
<td width="250" height="20"> </td>
<td width="28"> </td>
<td width="69" class="text">Username:</td
<td width="406"> <input value="<%= Request.Cookies("username"
</td>
</tr>
<tr>
<td height="20"> </td>
<td> </td>
<td class="text">Password:</td
<td> <input value="<%= Request.Cookies("Password"
</td>
</tr>
<tr>
<td height="19"> </td>
<td colspan="2" align="right" valign="top" class="text">Remember
Me:</td>
<td valign="top"> <input <%If (Request.Cookies("admin") = "1") Then Response.Write("CHECKED") : Response.Write("")%> type="checkbox" name="checkbox" value="1">
</td>
</tr>
<tr>
<td height="23" colspan="4"> <div align="center">
<input type="submit" name="Submit" value="Submit">
</div></td>
</tr>
</table>
</form>
<p class="headerred"> </
<p> </p>
</td>
</tr>
<tr>
<td>
<!--#include file="../includepages/inc_
</td>
</tr>
</table>
</body>
</html>
I'm afraid I don't see anything at first glance - anybody got any ideas?
CoolATIGuy
CoolATIGuy
ASKER
I found what was that problem.
I opened the login.asp page in dreamweaver,select binding in application to select recordset.
changed username and password filter from default "none" to username and password.
the login security fixed.
I opened the login.asp page in dreamweaver,select binding in application to select recordset.
changed username and password filter from default "none" to username and password.
the login security fixed.
Great!
<phrase type="suggestion">
suggest close question
</phrase>
CoolATIGuy
<phrase type="suggestion">
suggest close question
</phrase>
CoolATIGuy
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
CoolATIGuy