• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 405
  • Last Modified:

Javascript/ASP problem

Hi Experts,

I have a content page (a page from our content management tool) which calls a javascript which in turn call an asp page to authenticate users if they have access to the page and if they have, will be submitted back to our content page.

So to illustrate, in our content page, calls secure.js. This is contained in content page 7918.  This page contains:

location =
'/INTRANET/PRODUCTION/mm4applications/ConfigFiles/SecureAccess/SecureIndex.asp?Page=7918

The Page in the querystring is the page numnber of the content page so I'll know where to submit it back:

So my SecureIndex.asp page contains code to authenticate the user. And in the html portion of my asp page contains:

<BODY>

<form name="ConfigForm"  action="http://sydintra01/intranet/firm/me.get?site.sitelayouts.home&<%=request.querystring("Page")%>" method = "POST"  target="_top" >

</form>
<script language=javascript>
document.ConfigForm.submit()
</script>
</BODY>

So it actually submits the page to itself.  But the problem with this, it goes into an endless loop because my content page (in the action attribute)  contains the javascript which calls the asp page.

My question is, how can I prevent this from looping again.  What I wanted is to have a flag that will be set when the call is done once.  And will prevent it from calling it again.

I hope I have explained my problem clearly.  I have tried something but I cannot make it to work right.

Please help.

Thanks.


0
MsFox
Asked:
MsFox
2 Solutions
 
fruhjCommented:
Hmm

I assume you can't change the get.me code...

You could do a post to the form with an extra querystring, and check for the querystring in the secure.js file -

ie...
on the asp page, you just add a literal to your form:
<form name="ConfigForm"  action="http://sydintra01/intranet/firm/me.get?site.sitelayouts.home&<%=request.querystring("Page")%>&AuthPostback=true" method = "POST"  target="_top" >


in secure.js - check for presense of an auth querystring (in my example above, I called it authpostback)
(not being all that familiar with javascript, I've pulled some of this text from Professional JavaScript 2nd ed and filled in the gaps with my own code)
var urlList;
var tpstr = new String(document.location);
var paramList = tpstr.split("?");  
//paramList should now be an array with 2 elements -the second contains everything after the ? in our url
if (paramList.length > 1 ) //verify we have 2 elements
{
   var urlList = paramList[1].split("&");  //now further split the stuff after the ?
  // this should give an array with
   //site.sitelayouts.home as the first value
  //your page as the second value
  //AuthPostBack=true should be the third value
   var i;
   for (i=0; i< urlList.length; i++)
   {  //loop through each value - can't guarantee that they'll always be in the same order
     if (urlList[i] == "AuthPostback=true")
         {
           //now you know you've been to the post back page already - you can do someting about it!
         }
    }
}



Hope this helps!

- Jack
0
 
rdivilbissCommented:
Jack put in some effot into solving you immediate problem and should be applauded for that, however you have zero security.

Any person can simply enter a url with the second parameter and bypass the authentication.

A hidden form field will not offer any security either.

If you wish to authenticate users to prevent them from accessing pages they should not see you will have to do the check for login, the authentication and the storing of a login indicator in server side code only (in your case, ASP).

Let's assume that each page has its own unique permissions, e.g. a person who is authorized to see page A may not be authorized to see page B.  In that case, we can not simply have a value that says the person is logged on, but rather that the person is logged on and has authorization for the specific page.

In your example above, you need to check via ASP if the person is logged on and authorized.  I'll use a session variable and the page number to indicate this.

This would normally be something like this...

<%
if NOT session("7918")=true then
    response.redirect("/INTRANET/PRODUCTION/mm4applications/ConfigFiles/SecureAccess/SecureIndex.asp?Page=7918")
end if
%>

In SecureIndex.asp, upon a successful authorization, you would set

Session(request.querystring("Page"))=true

prior to your post back to the originating page.

You will not have a loop, and the login will not be able to be spoofed.

There are additional considerations for security, such as using SSL to avoid sending the user id and password in plain text in the SecureIndex.asp page, etc.

You can find a discussion of those issues here:

http://www.rodsdot.com/development/Authentication/default.asp

Since you are using an Intranet, you can issue your own SSL certificate (for free) to further secure this application.  Instructions here: (veru easy)

http://www.rodsdot.com/ee/sslselfcert.asp

Regardless of which way you choose to proceed, best of luck.

Regards,
Rod
0
 
MsFoxAuthor Commented:
Hi,

I tried this but the value of document.location in the js file remains the same.  How can you bring the URL with the AuthPostback=true value back to the js file?

Thanks
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
MsFoxAuthor Commented:
Hi Rod,

It's true, its not looping but the page remains in the asp page that contains this:

<%
if NOT session("7918")=true then
    response.redirect("/INTRANET/PRODUCTION/mm4applications/ConfigFiles/SecureAccess/SecureIndex.asp?Page=7918")
end if
%>

I want the page to be in the action attribute of this page:

<BODY>

<form name="ConfigForm"  action="http://sydintra01/intranet/firm/me.get?site.sitelayouts.home&<%=request.querystring("Page")%>" method = "POST"  target="_top" >

</form>
<script language=javascript>
document.ConfigForm.submit()
</script>
</BODY>

With regards to SSL,  I'll talk to my superior about the possibility of using this.

Thanks.
0
 
nurbekCommented:
try like this, or u can use hidden fields setting its value to true/false whether the form is submitted or not

<%
If LCase(Request.ServerVariables("REQUEST_METHOD")) <> "post" Then
%>
<script language=javascript>
document.ConfigForm.submit()
</script>

<%
End If
%>
0
 
fruhjCommented:
Hey MsFox

  Everyone who's contributed here has had good ideas and intentions - I have lots of respect for Rod and Nurbek.

   I agree with Rod, there are certainly security implications of what you're doing - however I'm not certain you can fix them in the SecureIndex.asp file alone - the real security needs to take place in your CMS in whatever is behind the me.Get code - that could be asp mapped to a .get extension or it could be java or something else - but ultimately that's where the security needs to take place.

   It didn't sound like you had the ability to change the CMS - if you do - then there's a whole new topic of the best way to handle the security.


   Rod's suggestion of:
=========== begin quote from rod ==============
This would normally be something like this...
<%
if NOT session("7918")=true then
    response.redirect("/INTRANET/PRODUCTION/mm4applications/ConfigFiles/SecureAccess/SecureIndex.asp?Page=7918")
end if
%>
============ end quote from rod ==============
would be right on the money - if you could put that code in the get.me that displays the document.

however, if you're limited to changing only the secure.js file and the SecureIndex.asp files - then rods suggestion won't work - that code is asp based, and would need to run on the server - but the secure.js file runs on the client - the client won't have access to the session variables that would have been set with the secureindex.asp page.


There could be an exception to this - if your CMS is implemented in asp.net - you can modify the web.config file to use forms authentication -the .net platform takes care of the redirection automatically - you just provide an asp.net form and some minimal code to say yes or no (also I'm no expert in java - but if it's java based there might be a similar authentication scheme available)

So anyhow - I wasn't trying to steer you towards an insecure solution - just trying to work within the boundaries you mentioned you were working in.

- Jack

 
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now