Solved

User Authentication Restricts everything

Posted on 2006-06-28
4
215 Views
Last Modified: 2010-04-25
Hello everyone,
I have a simple login page that queries an Access database for username and password and access level. We have been using this login system for two years and it has been working like a champ. We have numerious pages that are using the Authenitcation to restric some users from having access to certain areas that only key members should have access to. They all work just fine. Today I went to create a new form and supply basic authentication to the form  and when I load the page it blocks the page for everyone and redirects to the login page. So I took another page that already had authentication (that works fine) and cut and pasted the authentication to the new page instead of using the wizard and I get the exact same thing. Can someone look at the code and tell me what I am doing wrong?

Jester

I did add a couple session variables to the login some time ago
::::::::::::::: Login Page - Login Piece :::::::::::::::::::

<%
' *** Validate request to log in to this site.
MM_LoginAction = Request.ServerVariables("URL")
If Request.QueryString<>"" Then MM_LoginAction = MM_LoginAction + "?" + Server.HTMLEncode(Request.QueryString)
MM_valUsername=CStr(Request.Form("username"))
If MM_valUsername <> "" Then
  MM_fldUserAuthorization="PositionCode"
  MM_redirectLoginSuccess="reglogin.asp"
  MM_redirectLoginFailed="login_failed.asp"
  MM_flag="ADODB.Recordset"
  set MM_rsUser = Server.CreateObject(MM_flag)
  MM_rsUser.ActiveConnection = MM_Main_DB_STRING
  MM_rsUser.Source = "SELECT Username, password, SREP_CODE, OfficeLocation"
  If MM_fldUserAuthorization <> "" Then MM_rsUser.Source = MM_rsUser.Source & "," & MM_fldUserAuthorization
  MM_rsUser.Source = MM_rsUser.Source & " FROM Fullemployees WHERE Username='" & Replace(MM_valUsername,"'","''") &"' AND password='" & Replace(Request.Form("pwd"),"'","''") & "'"
  MM_rsUser.CursorType = 0
  MM_rsUser.CursorLocation = 2
  MM_rsUser.LockType = 3
  MM_rsUser.Open
  If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then
       ' username and password match - this is a valid user
    Session("MM_Username") = MM_valUsername
      Session("MM_SREP_CODE") = (MM_rsUser.Fields.Item("SREP_CODE").Value)
      Session("MM_STORE") = (MM_rsUser.Fields.Item("OfficeLocation").Value)
    If (MM_fldUserAuthorization <> "") Then
      Session("MM_UserAuthorization") = CStr(MM_rsUser.Fields.Item(MM_fldUserAuthorization).Value)
    Else
      Session("MM_UserAuthorization") = ""
    End If
    if CStr(Request.QueryString("accessdenied")) <> "" And true Then
      MM_redirectLoginSuccess = Request.QueryString("accessdenied")
    End If
    MM_rsUser.Close
    Response.Redirect(MM_redirectLoginSuccess)
  End If
  MM_rsUser.Close
  Response.Redirect(MM_redirectLoginFailed)
End If
%>


:::::::::::::::: Form Page  - Restriction piece :::::::::::::::::::::
<%
' *** Restrict Access To Page: Grant or deny access to this page
MM_authorizedUsers="1,2,3,4,5,6,7,8"
MM_authFailedURL="../login2.asp"
MM_grantAccess=false
If Session("MM_Username") <> "" Then
  If (false Or CStr(Session("MM_UserAuthorization"))="") Or _
         (InStr(1,MM_authorizedUsers,Session("MM_UserAuthorization"))>=1) Then
    MM_grantAccess = true
  End If
End If
If Not MM_grantAccess Then
  MM_qsChar = "?"
  If (InStr(1,MM_authFailedURL,"?") >= 1) Then MM_qsChar = "&"
  MM_referrer = Request.ServerVariables("URL")
  if (Len(Request.QueryString()) > 0) Then MM_referrer = MM_referrer & "?" & Request.QueryString()
  MM_authFailedURL = MM_authFailedURL & MM_qsChar & "accessdenied=" & Server.URLEncode(MM_referrer)
  Response.Redirect(MM_authFailedURL)
End If
%>

0
Comment
Question by:awinstead
  • 2
4 Comments
 
LVL 25

Expert Comment

by:Rouchie
Comment Utility
The code seems okay, however, DW's attempts at writing this stuff is pretty hard to read.  Double check that on your form page, the username and password field are NAMEd as "username" & "pwd".

Also check that browser/firewall etc are not blocking cookies.
0
 

Author Comment

by:awinstead
Comment Utility
I checked the login page and I names are labeled "username" and "pwd" The funny thing is if I create a blank page and use the Authentication I get the same problem. There are numerous pages that were created some time ago and they all work just fine. It's just the new pages. I also tried copying and pasting from one of the old pages that work and that one fails too. I am completely baffled on this one. PLease help I am under a tight deadline.

Thanks,
Jester
0
 
LVL 25

Accepted Solution

by:
Rouchie earned 500 total points
Comment Utility
You have 6 opening IF statements, and only 4 closing END IF statements, meaning that 2 checks are not being performed correctly.  I have attempted to rewrite your code and closed these off.  I have also debugged the code so it outputs on the screen what's going on.  The page redirects have been commented out so you can see what's going on.  Try the code now and tell me if a user is found, if it is, then remove the comments on the redirect and see what happens.

MM_LoginAction = Request.ServerVariables("URL")
If Request.QueryString<>"" Then MM_LoginAction = MM_LoginAction + "?" + Server.HTMLEncode(Request.QueryString)
      response.write("<hr>" & "MM_LoginAction = " & MM_LoginAction)
      MM_valUsername=CStr(Request.Form("username"))
      If MM_valUsername <> "" Then
            MM_fldUserAuthorization="PositionCode"
            MM_redirectLoginSuccess="reglogin.asp"
            MM_redirectLoginFailed="login_failed.asp"
            MM_flag="ADODB.Recordset"
            set MM_rsUser = Server.CreateObject(MM_flag)
            MM_rsUser.ActiveConnection = MM_Main_DB_STRING
            MM_rsUser.Source = "SELECT Username, password, SREP_CODE, OfficeLocation"
            If MM_fldUserAuthorization <> "" Then MM_rsUser.Source = MM_rsUser.Source & "," & MM_fldUserAuthorization
                  MM_rsUser.Source = MM_rsUser.Source & " FROM Fullemployees WHERE Username='" & Replace(MM_valUsername,"'","''") &"' AND password='" & Replace(Request.Form("pwd"),"'","''") & "'"
                  response.write("<hr>" & "SQL Command = " & MM_rsUser.Source)
                  MM_rsUser.CursorType = 0
                  MM_rsUser.CursorLocation = 2
                  MM_rsUser.LockType = 3
                  MM_rsUser.Open
                  If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then
                        response.write("<hr>" & "A user has been found in the database")
                        ' username and password match - this is a valid user
                        Session("MM_Username") = MM_valUsername
                        Session("MM_SREP_CODE") = (MM_rsUser.Fields.Item("SREP_CODE").Value)
                        Session("MM_STORE") = (MM_rsUser.Fields.Item("OfficeLocation").Value)
                        If (MM_fldUserAuthorization <> "") Then
                              Session("MM_UserAuthorization") = CStr(MM_rsUser.Fields.Item(MM_fldUserAuthorization).Value)
                        Else
                              Session("MM_UserAuthorization") = ""
                        End If
                        if CStr(Request.QueryString("accessdenied")) <> "" And true Then
                              response.write("<hr>" & "Request.QueryString("accessdenied") = " & Request.QueryString("accessdenied"))
                               MM_redirectLoginSuccess = Request.QueryString("accessdenied")
                        End If
                  End If ' ADDED
                  MM_rsUser.Close
                   'Response.Redirect(MM_redirectLoginSuccess)
            End If
      End If
      MM_rsUser.Close
       ' Response.Redirect(MM_redirectLoginFailed)
End If
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
mobile friendly link not working 4 265
Why does this script not work in this site 2 295
thumbnails in content 11 290
Best code editor tool for PC 4 127
For those who don't know, Adobe Dreamweaver is a popular commercial web editor that enables you to design, build and manage complex websites. The editor is a WYSIWYG (What You See Is What You Get) web editor, which means that you can create your web…
Adobe Dreamweaver CS5 is a WYSIWYG web page editor that has advanced HTML, CSS, and Javascript rendering functionality and is probably the most well-known HTML editor available. Much of Dreamweaver's appeal centers around the Design View interfac…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now