• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 745
  • Last Modified:

Block access to website after failed log in

Hi there all

I  want to try and block access to the admin section of a website if the user enters an incorrect user name or password, say, three times.

As there is only going to be two or three users and because they are not very computer literate, there is likely to be only one user name and password for them all.

Because of this, I would like to know a: how lock that one particular user out for, say, 15 minutes and b: how to lock the admin site down until they contact me.

Here's the code that Dreamweaver uses on the log in page:

' *** Validate request to log in to this site.
MM_LoginAction = Request.ServerVariables("URL")
If Request.QueryString <> "" Then MM_LoginAction = MM_LoginAction + "?" + Server.HTMLEncode(Request.QueryString)
MM_valUsername = CStr(Request.Form("UserName"))
If MM_valUsername <> "" Then
  Dim MM_fldUserAuthorization
  Dim MM_redirectLoginSuccess
  Dim MM_redirectLoginFailed
  Dim MM_loginSQL
  Dim MM_rsUser
  Dim MM_rsUser_cmd
  MM_fldUserAuthorization = ""
  MM_redirectLoginSuccess = "select.asp"
  MM_redirectLoginFailed = "default.asp"

  MM_loginSQL = "SELECT UserName, UserPassword"
  If MM_fldUserAuthorization <> "" Then MM_loginSQL = MM_loginSQL & "," & MM_fldUserAuthorization
  MM_loginSQL = MM_loginSQL & " FROM Users WHERE UserName = ? AND UserPassword = ?"
  Set MM_rsUser_cmd = Server.CreateObject ("ADODB.Command")
  MM_rsUser_cmd.ActiveConnection = MM_MFM_STRING
  MM_rsUser_cmd.CommandText = MM_loginSQL
  MM_rsUser_cmd.Parameters.Append MM_rsUser_cmd.CreateParameter("param1", 200, 1, 255, MM_valUsername) ' adVarChar
  MM_rsUser_cmd.Parameters.Append MM_rsUser_cmd.CreateParameter("param2", 200, 1, 14, Request.Form("Password")) ' adVarChar
  MM_rsUser_cmd.Prepared = true
  Set MM_rsUser = MM_rsUser_cmd.Execute

  If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then 
    ' username and password match - this is a valid user
    Session("MM_Username") = MM_valUsername
    If (MM_fldUserAuthorization <> "") Then
      Session("MM_UserAuthorization") = CStr(MM_rsUser.Fields.Item(MM_fldUserAuthorization).Value)
      Session("MM_UserAuthorization") = ""
    End If
    if CStr(Request.QueryString("accessdenied")) <> "" And false Then
      MM_redirectLoginSuccess = Request.QueryString("accessdenied")
    End If
  End If
End If

Open in new window

Hope this makes sense.

Thanks in advance.

Martin Cotterill
Martin Cotterill
  • 2
  • 2
1 Solution
Steve BinkCommented:
The short answer: you can't.  The server identifies the users by the provided username and password.  If all users are using the same credentials, there is no way the server can tell the difference between them.

The longer answer: I find a fair bit wrong here...

1) You're using classic ASP, which is limited at best.  Support for C-ASP is going by the wayside quickly.  It could be that in a couple years, you find yourself locked to platform with nowhere to go.

2) You're using Dreamweaver, which is just...horrible..  My objections to it are technical and aesthetic, though, not functional, so if that's what you have to use then so be it.  

3) You're using a single credential to secure the site.  This is actually the biggest roadblock in the way of what you want to do, and one of the most common violations of standard best practices.  Without individual user accounts, you have no way to track logins, user activity, change history, etc.  Without those auditing abilities, it is much more difficult to properly secure your site, and leaves you with virtually no way to track down who did what when it breaks.

4) On line 38, you are pulling a forwarding URL from the query string.  Why are you passing a forwarding URL in the query string?  Right now, I'm 6 months into the rewriting of an e-commerce site because the previous developer decided it would be grand to just pass everything through the query string.  Our company has been paying a monthly fine to the  compliance folks since I was hired, and there is no end to it in sight.  My boss actually tried to argue with me, until I demonstrated exactly how someone could abuse the application and our reputation.  Happily, line 38 should never run because of the forced false in line 37, but I would remove it all the same.  Don't leave tempting things lying about where they can tempt you.  (Like another happy function, rmrf(), I found in my own code base...)

At the minimum, to move forward, you need to establish a catalog of users, not just a single user account that everyone uses, and enforce the use of proper credentials.  The user table needs to be expanded to include fields for last login, number of failed login attempts, a boolean locked-out flag, the lock-out date/time, the remote address of the connection, etc.  

Because these mechanics get complicated quickly, I recommend using a solid OOP approach, which is clumsy and difficult in C-ASP under any circumstances.  For that reason, I recommend you begin migrating your application to a language that provides that sort of functionality, such as PHP, Python, or even .NET, if you're inclined to stick with Microsoft.  Yes, it is a lot of work, but the benefits you receive in return are HUGE, and it is something you will eventually have to do anyways.
Martin CotterillDabblerAuthor Commented:
Hi there.

Thanks for the reply.

I have to say, that I thought "no" would be the answer. Although this hasn't been asked for, I thought it would be good to know how to do such a thing, if for no other reason than personal education.

As you have taken the time to help me understand the mechanics behind what I asked, I'll explain a couple of the points raised in your answer.

I would prefer there be separate log in credentials for everybody, but that's not my call. I will, of course, point out the reasons why. Private data isn't held on the site as it's information only and they just wanted a basic CMS system so they could make changes to the info when they needed to. It's not a major site, in fact, according to the package with their previous hosting company, they had a 2Gb (yes 2) a month download limit and they never reached it.

The reason for ASP is because the original hosting was a windows system and the specs for the CMS site was to use a Microsoft Access database. Once the site was ready to go live, the hosting company was sold to a larger outfit and they moved the existing site on to a Linux box. About two months later, because they were having problems, they decided to move hosts. As the site was ready, they decided to stay with a windows configuration although the database platform changed from Access to MySQL.

Concerning my using Dreamweaver, I used to create sites by hand using a text editor, which was fine when it was just basic (x)HTML, CSS, JavaScript, etc but as I cannot program, I started to look at Dreamweaver as it was the de facto development software and you could use databases and so forth without the need to program. For many years, Dreamweaver 4 was on and off my computer so often it must have thought it was on a piece of elastic. There was a class in my area that was teaching web design using Dreamweaver, so I signed up. By this time version 7 was just out and within about 15 minutes, it was though I had been using Dreamweaver since v1.0 and I've been using it ever since. I do understand its limitations but then, I have several myself and as I don't do anything as technical or complicated as eCommerce, we seem to be a good fit.

I have may have another site to make which could well be done in PHP as this chap hosts his existing site on a Linux box and doesn't want to move hosts and, as you say, C-ASP is slowly being phased out in favour of .NET and as PHP and MySQL databases are being supported more and more on windows hosting, it seems the way for me to go.

Once again, thanks for taking the time to reply. It is really appreciated.


Martin CotterillDabblerAuthor Commented:
Didn't just say "you can't". Told my why and gave me insights in to possible paths to look at to implement what I wanted to do. Also outlined what would be needed to achieve it.

Steve BinkCommented:
>>> I have to say, that I thought "no" would be the answer.

That's just the short answer.  :)  The real answer is an involved rewrite of parts of your application.  

>>> would prefer there be separate log in credentials for everybody, but that's not my call.

Normally I agree with that sentiment, but I tend to fall in with contrary view in this specific example.  Yes, as a developer, my job is to give the customer what they want.  But sometimes, a customer doesn't know what to ask for, or understand why they should ask for it.  When I started with my current gig, they were using case-insensitive passwords for their e-commerce site's user accounts.  I changed it the first week I was there.  The boss had a fit, but I explained why, and made her use it, and she adapted.  We are all better off for it.  So yes, we implement decisions, not make them...usually.  In some cases (mostly security-related), it is better if we take the reins.

Of course, I also enforce random email passwords, which causes no end of upset.  Take it for what it's worth.

>>> The reason for ASP is because the original hosting was a windows
>>> system and the specs for the CMS site was to use a Microsoft
>>> Access database.

Yeah, I remember those days.  I don't really mean to slam ASP so hard...it was my first exposure to web development, and I look back on it fondly.  Regardless, the technology has passed its day, is abandoned by its creator, and comes with some inherent problems.  Don't get me started on Access.  :)  In that kind of environment, I would make sure all new development is geared towards moving to a more solid platform.  My absolute first priority would be to migrate from Access to MySQL or MSSQL.

>>> Concerning my using Dreamweaver, [ ... ] we seem to be a good fit.

Again, that came out harsher than I intended.  No, wait...no it didn't.  I hate Dreamweaver.  And FrontPage.  And Web Expressions....all their ilk and kin.  As far as you not being a programmer, what exactly do you think you're doing in Dreamweaver?  True, it doesn't *feel* like it, but that's just because Dreamweaver is a poor, horrible excuse for a development platform.  I think if you were to take a few moments and just skim a PHP tutorial, you'd find it's just a step to the left of where you are now, with a much better view.  If everyone would just stop letting Dreamweaver and the like convince them they are idiots...  <pious, disapproving head shake>

>>> C-ASP is slowly being phased out in favour of .NET

Not even so slowly, at that.  IIS7 does not come with the ability to run C-ASP by default.  In fact, it's a bit of a mission to make it run right, IMO.  PHP and MySQL are fully supported on Windows now (as is Apache...just sayin...), though I definitely prefer a Linux environment myself.  I always recommend PHP because its learning curve is as small as what you see in C-ASP; it is ridiculously easy to get started with PHP development.  I've been working with Python a bit now, but that has a steeper learning curve and a stronger push towards OOP approaches, so I don't recommend it as a "first step".  IME, the curve of .NET is hideously huge, and all you get for it is larger, bloated applications that run more slowly than other languages.

Good luck!

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now