[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

User Authentication Restricts everything

Posted on 2006-06-28
4
Medium Priority
?
246 Views
Last Modified: 2010-04-25
Hello everyone,
I have a simple login page that queries an Access database for username and password and access level. We have been using this login system for two years and it has been working like a champ. We have numerious pages that are using the Authenitcation to restric some users from having access to certain areas that only key members should have access to. They all work just fine. Today I went to create a new form and supply basic authentication to the form  and when I load the page it blocks the page for everyone and redirects to the login page. So I took another page that already had authentication (that works fine) and cut and pasted the authentication to the new page instead of using the wizard and I get the exact same thing. Can someone look at the code and tell me what I am doing wrong?

Jester

I did add a couple session variables to the login some time ago
::::::::::::::: Login Page - Login Piece :::::::::::::::::::

<%
' *** Validate request to log in to this site.
MM_LoginAction = Request.ServerVariables("URL")
If Request.QueryString<>"" Then MM_LoginAction = MM_LoginAction + "?" + Server.HTMLEncode(Request.QueryString)
MM_valUsername=CStr(Request.Form("username"))
If MM_valUsername <> "" Then
  MM_fldUserAuthorization="PositionCode"
  MM_redirectLoginSuccess="reglogin.asp"
  MM_redirectLoginFailed="login_failed.asp"
  MM_flag="ADODB.Recordset"
  set MM_rsUser = Server.CreateObject(MM_flag)
  MM_rsUser.ActiveConnection = MM_Main_DB_STRING
  MM_rsUser.Source = "SELECT Username, password, SREP_CODE, OfficeLocation"
  If MM_fldUserAuthorization <> "" Then MM_rsUser.Source = MM_rsUser.Source & "," & MM_fldUserAuthorization
  MM_rsUser.Source = MM_rsUser.Source & " FROM Fullemployees WHERE Username='" & Replace(MM_valUsername,"'","''") &"' AND password='" & Replace(Request.Form("pwd"),"'","''") & "'"
  MM_rsUser.CursorType = 0
  MM_rsUser.CursorLocation = 2
  MM_rsUser.LockType = 3
  MM_rsUser.Open
  If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then
       ' username and password match - this is a valid user
    Session("MM_Username") = MM_valUsername
      Session("MM_SREP_CODE") = (MM_rsUser.Fields.Item("SREP_CODE").Value)
      Session("MM_STORE") = (MM_rsUser.Fields.Item("OfficeLocation").Value)
    If (MM_fldUserAuthorization <> "") Then
      Session("MM_UserAuthorization") = CStr(MM_rsUser.Fields.Item(MM_fldUserAuthorization).Value)
    Else
      Session("MM_UserAuthorization") = ""
    End If
    if CStr(Request.QueryString("accessdenied")) <> "" And true Then
      MM_redirectLoginSuccess = Request.QueryString("accessdenied")
    End If
    MM_rsUser.Close
    Response.Redirect(MM_redirectLoginSuccess)
  End If
  MM_rsUser.Close
  Response.Redirect(MM_redirectLoginFailed)
End If
%>


:::::::::::::::: Form Page  - Restriction piece :::::::::::::::::::::
<%
' *** Restrict Access To Page: Grant or deny access to this page
MM_authorizedUsers="1,2,3,4,5,6,7,8"
MM_authFailedURL="../login2.asp"
MM_grantAccess=false
If Session("MM_Username") <> "" Then
  If (false Or CStr(Session("MM_UserAuthorization"))="") Or _
         (InStr(1,MM_authorizedUsers,Session("MM_UserAuthorization"))>=1) Then
    MM_grantAccess = true
  End If
End If
If Not MM_grantAccess Then
  MM_qsChar = "?"
  If (InStr(1,MM_authFailedURL,"?") >= 1) Then MM_qsChar = "&"
  MM_referrer = Request.ServerVariables("URL")
  if (Len(Request.QueryString()) > 0) Then MM_referrer = MM_referrer & "?" & Request.QueryString()
  MM_authFailedURL = MM_authFailedURL & MM_qsChar & "accessdenied=" & Server.URLEncode(MM_referrer)
  Response.Redirect(MM_authFailedURL)
End If
%>

0
Comment
Question by:awinstead
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 25

Expert Comment

by:Rouchie
ID: 17007668
The code seems okay, however, DW's attempts at writing this stuff is pretty hard to read.  Double check that on your form page, the username and password field are NAMEd as "username" & "pwd".

Also check that browser/firewall etc are not blocking cookies.
0
 

Author Comment

by:awinstead
ID: 17014175
I checked the login page and I names are labeled "username" and "pwd" The funny thing is if I create a blank page and use the Authentication I get the same problem. There are numerous pages that were created some time ago and they all work just fine. It's just the new pages. I also tried copying and pasting from one of the old pages that work and that one fails too. I am completely baffled on this one. PLease help I am under a tight deadline.

Thanks,
Jester
0
 
LVL 25

Accepted Solution

by:
Rouchie earned 1500 total points
ID: 17016081
You have 6 opening IF statements, and only 4 closing END IF statements, meaning that 2 checks are not being performed correctly.  I have attempted to rewrite your code and closed these off.  I have also debugged the code so it outputs on the screen what's going on.  The page redirects have been commented out so you can see what's going on.  Try the code now and tell me if a user is found, if it is, then remove the comments on the redirect and see what happens.

MM_LoginAction = Request.ServerVariables("URL")
If Request.QueryString<>"" Then MM_LoginAction = MM_LoginAction + "?" + Server.HTMLEncode(Request.QueryString)
      response.write("<hr>" & "MM_LoginAction = " & MM_LoginAction)
      MM_valUsername=CStr(Request.Form("username"))
      If MM_valUsername <> "" Then
            MM_fldUserAuthorization="PositionCode"
            MM_redirectLoginSuccess="reglogin.asp"
            MM_redirectLoginFailed="login_failed.asp"
            MM_flag="ADODB.Recordset"
            set MM_rsUser = Server.CreateObject(MM_flag)
            MM_rsUser.ActiveConnection = MM_Main_DB_STRING
            MM_rsUser.Source = "SELECT Username, password, SREP_CODE, OfficeLocation"
            If MM_fldUserAuthorization <> "" Then MM_rsUser.Source = MM_rsUser.Source & "," & MM_fldUserAuthorization
                  MM_rsUser.Source = MM_rsUser.Source & " FROM Fullemployees WHERE Username='" & Replace(MM_valUsername,"'","''") &"' AND password='" & Replace(Request.Form("pwd"),"'","''") & "'"
                  response.write("<hr>" & "SQL Command = " & MM_rsUser.Source)
                  MM_rsUser.CursorType = 0
                  MM_rsUser.CursorLocation = 2
                  MM_rsUser.LockType = 3
                  MM_rsUser.Open
                  If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then
                        response.write("<hr>" & "A user has been found in the database")
                        ' username and password match - this is a valid user
                        Session("MM_Username") = MM_valUsername
                        Session("MM_SREP_CODE") = (MM_rsUser.Fields.Item("SREP_CODE").Value)
                        Session("MM_STORE") = (MM_rsUser.Fields.Item("OfficeLocation").Value)
                        If (MM_fldUserAuthorization <> "") Then
                              Session("MM_UserAuthorization") = CStr(MM_rsUser.Fields.Item(MM_fldUserAuthorization).Value)
                        Else
                              Session("MM_UserAuthorization") = ""
                        End If
                        if CStr(Request.QueryString("accessdenied")) <> "" And true Then
                              response.write("<hr>" & "Request.QueryString("accessdenied") = " & Request.QueryString("accessdenied"))
                               MM_redirectLoginSuccess = Request.QueryString("accessdenied")
                        End If
                  End If ' ADDED
                  MM_rsUser.Close
                   'Response.Redirect(MM_redirectLoginSuccess)
            End If
      End If
      MM_rsUser.Close
       ' Response.Redirect(MM_redirectLoginFailed)
End If
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For those who don't know, Adobe Dreamweaver is a popular commercial web editor that enables you to design, build and manage complex websites. The editor is a WYSIWYG (What You See Is What You Get) web editor, which means that you can create your web…
This article is very specific and is only intended to help if you are installing Dreamweaver 8 in a Windows 7 environment with Office 2007 installed.   I'm not sure why Microsoft tends to release OS' that should not be released but they do.  Windows…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question