?
Solved

login security problem

Posted on 2004-04-13
7
Medium Priority
?
204 Views
Last Modified: 2010-04-25
I've designed  login.asp page in dreamweaver MX .
In order to gain access to any administrating
sections, you will need to enter a username and a password.Default is set to "demo" for both through MS access 2000 table called "admin".
any entries except "demo" redirect to failed_login.asp page.
very nice!!

My headache is begun when enter:
username: 'or'
password : 'or'
and unbelievable the administrating pages could be accessed.so many changes in authentication procedure not progress.
Any suggestion
Nikou
0
Comment
Question by:nikou
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
7 Comments
 
LVL 8

Expert Comment

by:CoolATIGuy
ID: 10818880
What is your code for checking the username and password, and redirecting on fail? (please post here, without sensitive data)


CoolATIGuy
0
 

Author Comment

by:nikou
ID: 10819433
<%@LANGUAGE="VBSCRIPT"%>
<!--#include file="../config/config.asp" -->
<%
If cstr(Request.Form("username"))<>"" Then
  If Request.form("checkbox") ="1" Then
     Response.Cookies("username") = Request.Form("username")
     Response.Cookies("password") = Request.Form("password")
     Response.Cookies("admin") = "1"
     Response.Cookies("username").expires = Date + 30
     Response.Cookies("password").expires = Date + 30
     Response.Cookies("admin").expires = Date + 30
  Else
     Response.Cookies("admin") = "" 
     Response.Cookies("username") = "" 
     Response.Cookies("password") = ""     
  End If
End If
%>
<%
' *** Validate request to log in to this site.
MM_LoginAction = Request.ServerVariables("URL")
If Request.QueryString<>"" Then MM_LoginAction = MM_LoginAction + "?" + Request.QueryString
MM_valUsername=CStr(Request.Form("username"))
If MM_valUsername <> "" Then
  MM_fldUserAuthorization="acclev"
  MM_redirectLoginSuccess="admin.asp?login=yes"
  MM_redirectLoginFailed="loginfail.asp"
  MM_flag="ADODB.Recordset"
  set MM_rsUser = Server.CreateObject(MM_flag)
  MM_rsUser.ActiveConnection = MM_photoalbum_STRING
  MM_rsUser.Source = "SELECT username, password"
  If MM_fldUserAuthorization <> "" Then MM_rsUser.Source = MM_rsUser.Source & "," & MM_fldUserAuthorization
  MM_rsUser.Source = MM_rsUser.Source & " FROM users WHERE username='" & MM_valUsername &"' AND password='" & CStr(Request.Form("password")) & "'"
  MM_rsUser.CursorType = 0
  MM_rsUser.CursorLocation = 2
  MM_rsUser.LockType = 3
  MM_rsUser.Open
  If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then
    ' username and password match - this is a valid user
    Session("MM_Username") = MM_valUsername
    If (MM_fldUserAuthorization <> "") Then
      Session("MM_UserAuthorization") = CStr(MM_rsUser.Fields.Item(MM_fldUserAuthorization).Value)
    Else
      Session("MM_UserAuthorization") = ""
    End If
    if CStr(Request.QueryString("accessdenied")) <> "" And true Then
      MM_redirectLoginSuccess = Request.QueryString("accessdenied")
    End If
    MM_rsUser.Close
    Response.Redirect(MM_redirectLoginSuccess)
  End If
  MM_rsUser.Close
  Response.Redirect(MM_redirectLoginFailed)
End If
%>
<html>
<head>
<title>Login </title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link rel="stylesheet" href="../includepages/style.css" type="text/css">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
  <tr>
    <td>
      <!--#include file="../includepages/inc_admin_top.asp" -->
    </td>
  </tr>
  <tr>
    <td>
      <p class="headerred"> <br><br><br><br><br>
                <% If Request.Querystring ("reason") = "no" then %>
         please enter your username and password below:  
          <form name="form1" method="post" action="<%=MM_LoginAction%>">
        <table width="100%" border="0" cellspacing="0" cellpadding="0">
          <!--DWLayoutTable-->
          <tr>
            <td width="250" height="20">&nbsp;</td>
            <td width="28">&nbsp;</td>
            <td width="69" class="text">Username:</td>
            <td width="406"> <input value="<%= Request.Cookies("username") %>" type="text" name="username" size="20">
            </td>
          </tr>
          <tr>
            <td height="20">&nbsp;</td>
            <td>&nbsp;</td>
            <td class="text">Password:</td>
            <td> <input value="<%= Request.Cookies("Password") %>" type="password" name="Password" size="20">
            </td>
          </tr>
          <tr>
            <td height="19">&nbsp;</td>
            <td colspan="2" align="right" valign="top"  class="text">Remember
              Me:</td>
            <td valign="top"> <input <%If (Request.Cookies("admin") = "1") Then Response.Write("CHECKED") : Response.Write("")%> type="checkbox" name="checkbox" value="1">
            </td>
            </tr>
          <tr>
            <td height="23" colspan="4"> <div align="center">
                <input type="submit" name="Submit" value="Submit">
              </div></td>
          </tr>
        </table>
      </form>
      <p class="headerred">&nbsp;</p>
      <p>&nbsp;</p>
    </td>
  </tr>
  <tr>
    <td>
            <!--#include file="../includepages/inc_admin_bottom.asp" -->
    </td>
  </tr>
</table>
</body>
</html>
0
 
LVL 8

Expert Comment

by:CoolATIGuy
ID: 10820358
I'm afraid I don't see anything at first glance - anybody got any ideas?


CoolATIGuy
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 

Author Comment

by:nikou
ID: 10820782
I found  what was that problem.
I opened the login.asp page in dreamweaver,select binding in application to select recordset.
changed username and password filter from default "none" to username and password.
the login security fixed.
0
 
LVL 8

Expert Comment

by:CoolATIGuy
ID: 10827015
Great!

<phrase type="suggestion">

suggest close question

</phrase>




CoolATIGuy
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 11535529
PAQed, with points refunded (125)

Computer101
E-E Admin
0

Featured Post

Want to be a Web Developer? Get Certified Today!

Enroll in the Certified Web Development Professional course package to learn HTML, Javascript, and PHP. Build a solid foundation to work toward your dream job!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For those who don't know, Adobe Dreamweaver is a popular commercial web editor that enables you to design, build and manage complex websites. The editor is a WYSIWYG (What You See Is What You Get) web editor, which means that you can create your web…
I still run into .cgi files every now and then. In some instances, I actually prefer the simplicity of a .cgi script to other options. Since I use DreamWeaver extensively, what I needed was a way to open .cgi scripts in Dreamweaver. And I wanted to …
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question