Link to home
Start Free TrialLog in
Avatar of rabbits2
rabbits2

asked on

ASP Session ID for security - problem with session ID being reset OnChange event

I am trying to work out how to use session IDs for security purposes.  I have a login page which is then checed and if the user and password are correct a session ID is set.  I then have an include page at the top of all secure pages to chekc if this session ID is set to authenticated  and if not the user is redirected back to the login page with a message.
I am having trouble with a page in which I have a search feature - a form with a select box.  It seems that when the user changes the search criteria and an OnChange feature on the select box submits the new criteria to the same page, the session ID is being reset and therefore the session ID is no longer authenticated.

The code for the search form is as follows:
<form action="auction_home.asp" method="POST" name="form5" class="form">
                                    <table align="center">
                                      <tr>
                                        <td valign="top" class="text_2" style="height:14 ">Select
                                          a Make:</td>
                                      </tr>
                                      <tr>
                                        <td valign="top" style="height:30 "><select name="carmakeauction" class="form" onChange="document.form5.submit()">
                                            <%if request.form("carmakeauction") <> "" then %>
                                            <option value = "<%Response.Write request.form("carmakeauction")%>">
                                            <%Response.Write request.form("carmakeauction")%>
                                            </option>
                                            <%else%>
                                            <option value = "<%Response.Write "Please Select..."%>">
                                            <%Response.Write "Please Select..."%>
                                            </option>
                                            <%end if%>
                                            <%while not objrs_auctioncarmake.eof%>
                                            <option value = "<%Response.Write objrs_auctioncarmake ("car_make")%>">
                                            <%Response.Write objrs_auctioncarmake ("car_make")%>
                                            </option><br>
                                            <%objrs_auctioncarmake.movenext
                                                        wend %>
                                          </select></td>
                                      </tr>
                                    </table>
                                  </form>

I will also provide you with the include page I have - normally I would have this:
<%
If (not session("authenticated")=True) Then
    strURL = "login.asp?type=42&msg=" & Server.HTMLEncode("You have logged off or have not yet logged in, you must login to access your account pages")
    Response.Write "<script>window.opener.location.href = '" & strURL & "'; window.close();</script>"

End If
%>

But for trouble shooting purposes I have been advised to try this in the include:
<%
If (not session("authenticated")=True) Then
    strURL = "login.asp?type=42&msg=" & Server.HTMLEncode("You have logged off or have not yet logged in, you must login to access your account pages")
    Response.Write "<script>window.opener.location.href = '" & strURL & "'; window.close();</script>"

End If
%>


Any ideas on how to solve this much appreciated, thanks.
Avatar of Hypnochu
Hypnochu

You might try setting it like
Session("Authenticated") = "True"
instead of (assuming this is what you're doing)
Session("Authenticated") = True

and then
If (not session("authenticated")="True")
etc

You may find this is a it more reliable
Hello,

2 questions :
- can you show me the code you use to initialize the Session("Authenticated") variable when the user logs in ?
- Does the auction_home.asp page do something special ? Does it have the include file also for checking the login ?

Avatar of rabbits2

ASKER

The code to initialize the Session(@Authenticated@) cariable is as follows:

<!-- #include file="inc/DeclareInc.asp"-->
<%
Dim user
Dim pass
user=Request.Form("txtusername")
pass=Request.Form("txt_password")
SQLQuery = "SELECT * FROM tbl_members WHERE username='"& Request.Form("txtusername") & "' AND password='" & Request.Form("txt_password") & "'"
set objRS=objconn.execute(SQLQuery)
dim authenticated
If Not objRS.EOF Then
   
      session("authenticated")="True"
    session("accno") = objRS("account_number")
      response.redirect("myaccount2.asp?user=" & user & "")
else
    session("authenticated") = ""
    session("accno") = ""
    response.redirect("loginunsuccessful.asp")
end if
'Response.Write session("authenticated")

%>

And yes the auction_home.asp page does have the include file in it.  As for something special, not sure what you mean...
1. It is better to come back to you old way of using the Session("authenticated") variable
by using

Session("authenticated") = True

and test it via
if Not (Session("authenticated) = True) Then
instead of
If (not session("authenticated")=True) Then

2. by "doing something special", I meant playing with Session variables...
Does auction_home.asp have this code included in it anywhere:
<%
Dim user
Dim pass
user=Request.Form("txtusername")
pass=Request.Form("txt_password")
SQLQuery = "SELECT * FROM tbl_members WHERE username='"& Request.Form("txtusername") & "' AND password='" & Request.Form("txt_password") & "'"
set objRS=objconn.execute(SQLQuery)
dim authenticated
If Not objRS.EOF Then
   
     session("authenticated")="True"
    session("accno") = objRS("account_number")
     response.redirect("myaccount2.asp?user=" & user & "")
else
    session("authenticated") = ""
    session("accno") = ""
    response.redirect("loginunsuccessful.asp")
end if
'Response.Write session("authenticated")

%>
?
No - this is used to check the user's login details and if they are correct then the session("authenticated") is set to "True".  The auction_home.asp page simply includes the include file which normally contains the code:

normally I would have this:
<%
If (not session("authenticated")=True) Then
    strURL = "login.asp?type=42&msg=" & Server.HTMLEncode("You have logged off or have not yet logged in, you must login to access your account pages")
    Response.Write "<script>window.opener.location.href = '" & strURL & "'; window.close();</script>"

End If
%>


but for trouble shooting I am using:

<%
      if isnull(session("authenticated")) then
          response.write "Session Authenticated Set to Null"+"<br><br>"+vbcrlf
      else
           if session("authenticated")="" then
                response.write "Session Authentication is empty string"+"<br><br>"+vbcrlf
           else
               response.write "Session Authentication = "+cstr(session("authenticated"))+"<br><br>"+vbcrlf
     end if
       end if
%>
You can improve your troubleshooting with those changes

For your info, a Session variable which is not initialized is not null, it is just "empty"... the way to test it is
if  Len(Session("authenticated")) >  0

<%
      if isnull(session("authenticated")) then ' --> as a user cannot initialize your variable to the null value, this should never happen
          response.write "Session Authenticated Set to Null"+"<br><br>"+vbcrlf
      else
           if session("authenticated")="" then ' --> here you have an error in your analysis... if the session varialbe is = to "" then it is either empty either it has never been initialized so, change it with my previous test code at the start of this post
                response.write "Session Authentication is empty string"+"<br><br>"+vbcrlf
           else
               response.write "Session Authentication = "+cstr(session("authenticated"))+"<br><br>"+vbcrlf
     end if
      end if
%>
SOLUTION
Avatar of Hypnochu
Hypnochu

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Ok sorry to keep on but I have not solved this problem yet, I am confused because I am getting mixed messages, on my 'myaccount2.asp' page I am including the include file which checks the state of session ("authenticated") and response.write a message accordingly as you have shown me above.  I also have on this page a Response.write session("authenticated"), the two response.write messages are giving me confilicting answers - please explain.  The code for each is below:

Login Check Page:
---------------------------------------------------------------------------------------------
<%@LANGUAGE="VBSCRIPT" CODEPAGE="1252"%>
<!-- #include file="inc/DeclareInc.asp"-->
<%
Dim user
Dim pass
user=Request.Form("txtusername")
pass=Request.Form("txt_password")
SQLQuery = "SELECT * FROM tbl_members WHERE username='"& Request.Form("txtusername") & "' AND password='" & Request.Form("txt_password") & "'"
set objRS=objconn.execute(SQLQuery)
dim authenticated
If Not objRS.EOF Then  
      session("authenticated")=True
    session("accno") = objRS("account_number")
      response.redirect("myaccount2.asp?user=" & user & "")
else
    session("authenticated") = "False"
    session("accno") = "0"
    response.redirect("loginunsuccessful.asp")
end if
%>

Include Page:
---------------------------------------------------------------------------------------------
<%
      if isnull(session("authenticated")) then
          response.write "Session Authenticated Set to Null"+"<br><br>"+vbcrlf
      else
             if  Len(session("authenticated")) >  0 then
                     response.write "Session Authentication is empty string"+"<br><br>"+vbcrlf
           else
               response.write "Session Authentication = "+cstr(session("authenticated"))+"<br><br>"+vbcrlf
     end if
      end if
%>

MyAccount2.asp Page:
---------------------------------------------------------------------------------------------
<%@LANGUAGE="VBSCRIPT" CODEPAGE="65001"%>
<!-- #include file="inc/DeclareInc.asp"-->
<!-- #include file="inc/session_login3.asp"-->

<%
Response.Write "is the session set:"
Response.Write session("authenticated")
..............
%>

The response.write I am getting on the MyAccount2.asp page is:
----------------------------------------------------------------------------------------------
Session Authentication is empty string
is the session set:True

Thanks for your help with this one.
Hello

you have an error in you check login page

If Not objRS.EOF Then  
     session("authenticated")=True
    session("accno") = objRS("account_number")
     response.redirect("myaccount2.asp?user=" & user & "")
else
 --->   session("authenticated") = "False"
    session("accno") = "0"
    response.redirect("loginunsuccessful.asp")
end if

it should be session("authenticated") = False
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Ok that sorts out the confussion - thanks for you help with this.  I am closing this question but opening another which leads on form this if you wouldn't mind helping out some more with further confussion on session variables authenticating user... the question will be titles 'confussion on session variables authenticating user'.

Thanks again for your help