Solved

login security problem

Posted on 2004-04-13
7
200 Views
Last Modified: 2010-04-25
I've designed  login.asp page in dreamweaver MX .
In order to gain access to any administrating
sections, you will need to enter a username and a password.Default is set to "demo" for both through MS access 2000 table called "admin".
any entries except "demo" redirect to failed_login.asp page.
very nice!!

My headache is begun when enter:
username: 'or'
password : 'or'
and unbelievable the administrating pages could be accessed.so many changes in authentication procedure not progress.
Any suggestion
Nikou
0
Comment
Question by:nikou
  • 3
  • 2
7 Comments
 
LVL 8

Expert Comment

by:CoolATIGuy
ID: 10818880
What is your code for checking the username and password, and redirecting on fail? (please post here, without sensitive data)


CoolATIGuy
0
 

Author Comment

by:nikou
ID: 10819433
<%@LANGUAGE="VBSCRIPT"%>
<!--#include file="../config/config.asp" -->
<%
If cstr(Request.Form("username"))<>"" Then
  If Request.form("checkbox") ="1" Then
     Response.Cookies("username") = Request.Form("username")
     Response.Cookies("password") = Request.Form("password")
     Response.Cookies("admin") = "1"
     Response.Cookies("username").expires = Date + 30
     Response.Cookies("password").expires = Date + 30
     Response.Cookies("admin").expires = Date + 30
  Else
     Response.Cookies("admin") = "" 
     Response.Cookies("username") = "" 
     Response.Cookies("password") = ""     
  End If
End If
%>
<%
' *** Validate request to log in to this site.
MM_LoginAction = Request.ServerVariables("URL")
If Request.QueryString<>"" Then MM_LoginAction = MM_LoginAction + "?" + Request.QueryString
MM_valUsername=CStr(Request.Form("username"))
If MM_valUsername <> "" Then
  MM_fldUserAuthorization="acclev"
  MM_redirectLoginSuccess="admin.asp?login=yes"
  MM_redirectLoginFailed="loginfail.asp"
  MM_flag="ADODB.Recordset"
  set MM_rsUser = Server.CreateObject(MM_flag)
  MM_rsUser.ActiveConnection = MM_photoalbum_STRING
  MM_rsUser.Source = "SELECT username, password"
  If MM_fldUserAuthorization <> "" Then MM_rsUser.Source = MM_rsUser.Source & "," & MM_fldUserAuthorization
  MM_rsUser.Source = MM_rsUser.Source & " FROM users WHERE username='" & MM_valUsername &"' AND password='" & CStr(Request.Form("password")) & "'"
  MM_rsUser.CursorType = 0
  MM_rsUser.CursorLocation = 2
  MM_rsUser.LockType = 3
  MM_rsUser.Open
  If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then
    ' username and password match - this is a valid user
    Session("MM_Username") = MM_valUsername
    If (MM_fldUserAuthorization <> "") Then
      Session("MM_UserAuthorization") = CStr(MM_rsUser.Fields.Item(MM_fldUserAuthorization).Value)
    Else
      Session("MM_UserAuthorization") = ""
    End If
    if CStr(Request.QueryString("accessdenied")) <> "" And true Then
      MM_redirectLoginSuccess = Request.QueryString("accessdenied")
    End If
    MM_rsUser.Close
    Response.Redirect(MM_redirectLoginSuccess)
  End If
  MM_rsUser.Close
  Response.Redirect(MM_redirectLoginFailed)
End If
%>
<html>
<head>
<title>Login </title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link rel="stylesheet" href="../includepages/style.css" type="text/css">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
  <tr>
    <td>
      <!--#include file="../includepages/inc_admin_top.asp" -->
    </td>
  </tr>
  <tr>
    <td>
      <p class="headerred"> <br><br><br><br><br>
                <% If Request.Querystring ("reason") = "no" then %>
         please enter your username and password below:  
          <form name="form1" method="post" action="<%=MM_LoginAction%>">
        <table width="100%" border="0" cellspacing="0" cellpadding="0">
          <!--DWLayoutTable-->
          <tr>
            <td width="250" height="20">&nbsp;</td>
            <td width="28">&nbsp;</td>
            <td width="69" class="text">Username:</td>
            <td width="406"> <input value="<%= Request.Cookies("username") %>" type="text" name="username" size="20">
            </td>
          </tr>
          <tr>
            <td height="20">&nbsp;</td>
            <td>&nbsp;</td>
            <td class="text">Password:</td>
            <td> <input value="<%= Request.Cookies("Password") %>" type="password" name="Password" size="20">
            </td>
          </tr>
          <tr>
            <td height="19">&nbsp;</td>
            <td colspan="2" align="right" valign="top"  class="text">Remember
              Me:</td>
            <td valign="top"> <input <%If (Request.Cookies("admin") = "1") Then Response.Write("CHECKED") : Response.Write("")%> type="checkbox" name="checkbox" value="1">
            </td>
            </tr>
          <tr>
            <td height="23" colspan="4"> <div align="center">
                <input type="submit" name="Submit" value="Submit">
              </div></td>
          </tr>
        </table>
      </form>
      <p class="headerred">&nbsp;</p>
      <p>&nbsp;</p>
    </td>
  </tr>
  <tr>
    <td>
            <!--#include file="../includepages/inc_admin_bottom.asp" -->
    </td>
  </tr>
</table>
</body>
</html>
0
 
LVL 8

Expert Comment

by:CoolATIGuy
ID: 10820358
I'm afraid I don't see anything at first glance - anybody got any ideas?


CoolATIGuy
0
Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

 

Author Comment

by:nikou
ID: 10820782
I found  what was that problem.
I opened the login.asp page in dreamweaver,select binding in application to select recordset.
changed username and password filter from default "none" to username and password.
the login security fixed.
0
 
LVL 8

Expert Comment

by:CoolATIGuy
ID: 10827015
Great!

<phrase type="suggestion">

suggest close question

</phrase>




CoolATIGuy
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 11535529
PAQed, with points refunded (125)

Computer101
E-E Admin
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Adobe Dreamweaver CS5 is a WYSIWYG web page editor that has advanced HTML, CSS, and Javascript rendering functionality and is probably the most well-known HTML editor available. Much of Dreamweaver's appeal centers around the Design View interfac…
This article is very specific and is only intended to help if you are installing Dreamweaver 8 in a Windows 7 environment with Office 2007 installed.   I'm not sure why Microsoft tends to release OS' that should not be released but they do.  Windows…
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now