Avatar of rabbits2
rabbits2
 asked on

ASP Session ID for security - problem with session ID being reset OnChange event

I am trying to work out how to use session IDs for security purposes.  I have a login page which is then checed and if the user and password are correct a session ID is set.  I then have an include page at the top of all secure pages to chekc if this session ID is set to authenticated  and if not the user is redirected back to the login page with a message.
I am having trouble with a page in which I have a search feature - a form with a select box.  It seems that when the user changes the search criteria and an OnChange feature on the select box submits the new criteria to the same page, the session ID is being reset and therefore the session ID is no longer authenticated.

The code for the search form is as follows:
<form action="auction_home.asp" method="POST" name="form5" class="form">
                                    <table align="center">
                                      <tr>
                                        <td valign="top" class="text_2" style="height:14 ">Select
                                          a Make:</td>
                                      </tr>
                                      <tr>
                                        <td valign="top" style="height:30 "><select name="carmakeauction" class="form" onChange="document.form5.submit()">
                                            <%if request.form("carmakeauction") <> "" then %>
                                            <option value = "<%Response.Write request.form("carmakeauction")%>">
                                            <%Response.Write request.form("carmakeauction")%>
                                            </option>
                                            <%else%>
                                            <option value = "<%Response.Write "Please Select..."%>">
                                            <%Response.Write "Please Select..."%>
                                            </option>
                                            <%end if%>
                                            <%while not objrs_auctioncarmake.eof%>
                                            <option value = "<%Response.Write objrs_auctioncarmake ("car_make")%>">
                                            <%Response.Write objrs_auctioncarmake ("car_make")%>
                                            </option><br>
                                            <%objrs_auctioncarmake.movenext
                                                        wend %>
                                          </select></td>
                                      </tr>
                                    </table>
                                  </form>

I will also provide you with the include page I have - normally I would have this:
<%
If (not session("authenticated")=True) Then
    strURL = "login.asp?type=42&msg=" & Server.HTMLEncode("You have logged off or have not yet logged in, you must login to access your account pages")
    Response.Write "<script>window.opener.location.href = '" & strURL & "'; window.close();</script>"

End If
%>

But for trouble shooting purposes I have been advised to try this in the include:
<%
If (not session("authenticated")=True) Then
    strURL = "login.asp?type=42&msg=" & Server.HTMLEncode("You have logged off or have not yet logged in, you must login to access your account pages")
    Response.Write "<script>window.opener.location.href = '" & strURL & "'; window.close();</script>"

End If
%>


Any ideas on how to solve this much appreciated, thanks.
ASP

Avatar of undefined
Last Comment
rabbits2

8/22/2022 - Mon
Hypnochu

You might try setting it like
Session("Authenticated") = "True"
instead of (assuming this is what you're doing)
Session("Authenticated") = True

and then
If (not session("authenticated")="True")
etc

You may find this is a it more reliable
ddelhez

Hello,

2 questions :
- can you show me the code you use to initialize the Session("Authenticated") variable when the user logs in ?
- Does the auction_home.asp page do something special ? Does it have the include file also for checking the login ?

rabbits2

ASKER
The code to initialize the Session(@Authenticated@) cariable is as follows:

<!-- #include file="inc/DeclareInc.asp"-->
<%
Dim user
Dim pass
user=Request.Form("txtusername")
pass=Request.Form("txt_password")
SQLQuery = "SELECT * FROM tbl_members WHERE username='"& Request.Form("txtusername") & "' AND password='" & Request.Form("txt_password") & "'"
set objRS=objconn.execute(SQLQuery)
dim authenticated
If Not objRS.EOF Then
   
      session("authenticated")="True"
    session("accno") = objRS("account_number")
      response.redirect("myaccount2.asp?user=" & user & "")
else
    session("authenticated") = ""
    session("accno") = ""
    response.redirect("loginunsuccessful.asp")
end if
'Response.Write session("authenticated")

%>

And yes the auction_home.asp page does have the include file in it.  As for something special, not sure what you mean...
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ddelhez

1. It is better to come back to you old way of using the Session("authenticated") variable
by using

Session("authenticated") = True

and test it via
if Not (Session("authenticated) = True) Then
instead of
If (not session("authenticated")=True) Then

2. by "doing something special", I meant playing with Session variables...
Hypnochu

Does auction_home.asp have this code included in it anywhere:
<%
Dim user
Dim pass
user=Request.Form("txtusername")
pass=Request.Form("txt_password")
SQLQuery = "SELECT * FROM tbl_members WHERE username='"& Request.Form("txtusername") & "' AND password='" & Request.Form("txt_password") & "'"
set objRS=objconn.execute(SQLQuery)
dim authenticated
If Not objRS.EOF Then
   
     session("authenticated")="True"
    session("accno") = objRS("account_number")
     response.redirect("myaccount2.asp?user=" & user & "")
else
    session("authenticated") = ""
    session("accno") = ""
    response.redirect("loginunsuccessful.asp")
end if
'Response.Write session("authenticated")

%>
?
rabbits2

ASKER
No - this is used to check the user's login details and if they are correct then the session("authenticated") is set to "True".  The auction_home.asp page simply includes the include file which normally contains the code:

normally I would have this:
<%
If (not session("authenticated")=True) Then
    strURL = "login.asp?type=42&msg=" & Server.HTMLEncode("You have logged off or have not yet logged in, you must login to access your account pages")
    Response.Write "<script>window.opener.location.href = '" & strURL & "'; window.close();</script>"

End If
%>


but for trouble shooting I am using:

<%
      if isnull(session("authenticated")) then
          response.write "Session Authenticated Set to Null"+"<br><br>"+vbcrlf
      else
           if session("authenticated")="" then
                response.write "Session Authentication is empty string"+"<br><br>"+vbcrlf
           else
               response.write "Session Authentication = "+cstr(session("authenticated"))+"<br><br>"+vbcrlf
     end if
       end if
%>
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ddelhez

You can improve your troubleshooting with those changes

For your info, a Session variable which is not initialized is not null, it is just "empty"... the way to test it is
if  Len(Session("authenticated")) >  0

<%
      if isnull(session("authenticated")) then ' --> as a user cannot initialize your variable to the null value, this should never happen
          response.write "Session Authenticated Set to Null"+"<br><br>"+vbcrlf
      else
           if session("authenticated")="" then ' --> here you have an error in your analysis... if the session varialbe is = to "" then it is either empty either it has never been initialized so, change it with my previous test code at the start of this post
                response.write "Session Authentication is empty string"+"<br><br>"+vbcrlf
           else
               response.write "Session Authentication = "+cstr(session("authenticated"))+"<br><br>"+vbcrlf
     end if
      end if
%>
SOLUTION
Hypnochu

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
rabbits2

ASKER
Ok sorry to keep on but I have not solved this problem yet, I am confused because I am getting mixed messages, on my 'myaccount2.asp' page I am including the include file which checks the state of session ("authenticated") and response.write a message accordingly as you have shown me above.  I also have on this page a Response.write session("authenticated"), the two response.write messages are giving me confilicting answers - please explain.  The code for each is below:

Login Check Page:
---------------------------------------------------------------------------------------------
<%@LANGUAGE="VBSCRIPT" CODEPAGE="1252"%>
<!-- #include file="inc/DeclareInc.asp"-->
<%
Dim user
Dim pass
user=Request.Form("txtusername")
pass=Request.Form("txt_password")
SQLQuery = "SELECT * FROM tbl_members WHERE username='"& Request.Form("txtusername") & "' AND password='" & Request.Form("txt_password") & "'"
set objRS=objconn.execute(SQLQuery)
dim authenticated
If Not objRS.EOF Then  
      session("authenticated")=True
    session("accno") = objRS("account_number")
      response.redirect("myaccount2.asp?user=" & user & "")
else
    session("authenticated") = "False"
    session("accno") = "0"
    response.redirect("loginunsuccessful.asp")
end if
%>

Include Page:
---------------------------------------------------------------------------------------------
<%
      if isnull(session("authenticated")) then
          response.write "Session Authenticated Set to Null"+"<br><br>"+vbcrlf
      else
             if  Len(session("authenticated")) >  0 then
                     response.write "Session Authentication is empty string"+"<br><br>"+vbcrlf
           else
               response.write "Session Authentication = "+cstr(session("authenticated"))+"<br><br>"+vbcrlf
     end if
      end if
%>

MyAccount2.asp Page:
---------------------------------------------------------------------------------------------
<%@LANGUAGE="VBSCRIPT" CODEPAGE="65001"%>
<!-- #include file="inc/DeclareInc.asp"-->
<!-- #include file="inc/session_login3.asp"-->

<%
Response.Write "is the session set:"
Response.Write session("authenticated")
..............
%>

The response.write I am getting on the MyAccount2.asp page is:
----------------------------------------------------------------------------------------------
Session Authentication is empty string
is the session set:True

Thanks for your help with this one.
ddelhez

Hello

you have an error in you check login page

If Not objRS.EOF Then  
     session("authenticated")=True
    session("accno") = objRS("account_number")
     response.redirect("myaccount2.asp?user=" & user & "")
else
 --->   session("authenticated") = "False"
    session("accno") = "0"
    response.redirect("loginunsuccessful.asp")
end if

it should be session("authenticated") = False
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
rabbits2

ASKER
Ok that sorts out the confussion - thanks for you help with this.  I am closing this question but opening another which leads on form this if you wouldn't mind helping out some more with further confussion on session variables authenticating user... the question will be titles 'confussion on session variables authenticating user'.

Thanks again for your help