Link to home
Start Free TrialLog in
Avatar of nikou
nikou

asked on

login security problem

I've designed  login.asp page in dreamweaver MX .
In order to gain access to any administrating
sections, you will need to enter a username and a password.Default is set to "demo" for both through MS access 2000 table called "admin".
any entries except "demo" redirect to failed_login.asp page.
very nice!!

My headache is begun when enter:
username: 'or'
password : 'or'
and unbelievable the administrating pages could be accessed.so many changes in authentication procedure not progress.
Any suggestion
Nikou
Avatar of CoolATIGuy
CoolATIGuy

What is your code for checking the username and password, and redirecting on fail? (please post here, without sensitive data)


CoolATIGuy
Avatar of nikou

ASKER

<%@LANGUAGE="VBSCRIPT"%>
<!--#include file="../config/config.asp" -->
<%
If cstr(Request.Form("username"))<>"" Then
  If Request.form("checkbox") ="1" Then
     Response.Cookies("username") = Request.Form("username")
     Response.Cookies("password") = Request.Form("password")
     Response.Cookies("admin") = "1"
     Response.Cookies("username").expires = Date + 30
     Response.Cookies("password").expires = Date + 30
     Response.Cookies("admin").expires = Date + 30
  Else
     Response.Cookies("admin") = "" 
     Response.Cookies("username") = "" 
     Response.Cookies("password") = ""     
  End If
End If
%>
<%
' *** Validate request to log in to this site.
MM_LoginAction = Request.ServerVariables("URL")
If Request.QueryString<>"" Then MM_LoginAction = MM_LoginAction + "?" + Request.QueryString
MM_valUsername=CStr(Request.Form("username"))
If MM_valUsername <> "" Then
  MM_fldUserAuthorization="acclev"
  MM_redirectLoginSuccess="admin.asp?login=yes"
  MM_redirectLoginFailed="loginfail.asp"
  MM_flag="ADODB.Recordset"
  set MM_rsUser = Server.CreateObject(MM_flag)
  MM_rsUser.ActiveConnection = MM_photoalbum_STRING
  MM_rsUser.Source = "SELECT username, password"
  If MM_fldUserAuthorization <> "" Then MM_rsUser.Source = MM_rsUser.Source & "," & MM_fldUserAuthorization
  MM_rsUser.Source = MM_rsUser.Source & " FROM users WHERE username='" & MM_valUsername &"' AND password='" & CStr(Request.Form("password")) & "'"
  MM_rsUser.CursorType = 0
  MM_rsUser.CursorLocation = 2
  MM_rsUser.LockType = 3
  MM_rsUser.Open
  If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then
    ' username and password match - this is a valid user
    Session("MM_Username") = MM_valUsername
    If (MM_fldUserAuthorization <> "") Then
      Session("MM_UserAuthorization") = CStr(MM_rsUser.Fields.Item(MM_fldUserAuthorization).Value)
    Else
      Session("MM_UserAuthorization") = ""
    End If
    if CStr(Request.QueryString("accessdenied")) <> "" And true Then
      MM_redirectLoginSuccess = Request.QueryString("accessdenied")
    End If
    MM_rsUser.Close
    Response.Redirect(MM_redirectLoginSuccess)
  End If
  MM_rsUser.Close
  Response.Redirect(MM_redirectLoginFailed)
End If
%>
<html>
<head>
<title>Login </title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link rel="stylesheet" href="../includepages/style.css" type="text/css">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
  <tr>
    <td>
      <!--#include file="../includepages/inc_admin_top.asp" -->
    </td>
  </tr>
  <tr>
    <td>
      <p class="headerred"> <br><br><br><br><br>
                <% If Request.Querystring ("reason") = "no" then %>
         please enter your username and password below:  
          <form name="form1" method="post" action="<%=MM_LoginAction%>">
        <table width="100%" border="0" cellspacing="0" cellpadding="0">
          <!--DWLayoutTable-->
          <tr>
            <td width="250" height="20">&nbsp;</td>
            <td width="28">&nbsp;</td>
            <td width="69" class="text">Username:</td>
            <td width="406"> <input value="<%= Request.Cookies("username") %>" type="text" name="username" size="20">
            </td>
          </tr>
          <tr>
            <td height="20">&nbsp;</td>
            <td>&nbsp;</td>
            <td class="text">Password:</td>
            <td> <input value="<%= Request.Cookies("Password") %>" type="password" name="Password" size="20">
            </td>
          </tr>
          <tr>
            <td height="19">&nbsp;</td>
            <td colspan="2" align="right" valign="top"  class="text">Remember
              Me:</td>
            <td valign="top"> <input <%If (Request.Cookies("admin") = "1") Then Response.Write("CHECKED") : Response.Write("")%> type="checkbox" name="checkbox" value="1">
            </td>
            </tr>
          <tr>
            <td height="23" colspan="4"> <div align="center">
                <input type="submit" name="Submit" value="Submit">
              </div></td>
          </tr>
        </table>
      </form>
      <p class="headerred">&nbsp;</p>
      <p>&nbsp;</p>
    </td>
  </tr>
  <tr>
    <td>
            <!--#include file="../includepages/inc_admin_bottom.asp" -->
    </td>
  </tr>
</table>
</body>
</html>
I'm afraid I don't see anything at first glance - anybody got any ideas?


CoolATIGuy
Avatar of nikou

ASKER

I found  what was that problem.
I opened the login.asp page in dreamweaver,select binding in application to select recordset.
changed username and password filter from default "none" to username and password.
the login security fixed.
Great!

<phrase type="suggestion">

suggest close question

</phrase>




CoolATIGuy
ASKER CERTIFIED SOLUTION
Avatar of Computer101
Computer101
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial