Password protection with Classic ASP

Hi Experts,
I need to password protect some pages, but I don't want users type in the User Name and Password.
Instead, I capture their Logon details (Emp_Id). If the Emp_Id corresponds to AgentBidLogin they should be able to view the protected page. The problem is that users are directed to the login page only if their employee numbers (AgentBidLogin) are stored in the Administration table. If they are not added to the admin list, it lets them view the protected page without being directed to the login page. I'm not sure what the problem is with my code. I would appreciate your help. Please see attached the code of the protected page and the code of the login page.
<%
Validated = "OK"
if Request.Cookies("ValidUser") <> Validated then
'Construct the URL for the current page.
    dim s
    s = "http://"
    s = s & Request.ServerVariables("HTTP_HOST")
    s = s & Request.ServerVariables("URL")
    if Request.QueryString.Count > 0 THEN
	s = s & "?" & Request.QueryString
    end if
    'Redirect unauthorized users to the logon page.
    Response.Redirect "login.asp?from=" &Server.URLEncode(s)
End if
%>

<html>
<head>
<title>My Protected Page</title>
</head>
<body>
<p align="center">This is my secret information</p>
</body>
</html>

Open in new window

Login page:
<!-- #include virtual="/SOC/AgentBid/includes/Authentication.asp" -->
<%
set rs = Server.CreateObject("ADODB.recordset")
If not EOF or NOT BOF Then UserID = Emp_Id
rs.Open "exec GetAgentBidAdmin'" & UserID & "'", conn
do until rs.EOF
AgentBidLogin = rs("AgentBidLogin")
rs.MoveNext
loop
%>

<html>
<head>
<title>Logon Form</title>
<%
If Username<>Emp_Id Then Username=Emp_Id End If
If Password<>Emp_Id Then Password=Emp_Id End If

Validated = "OK"
if Strcomp(Request.Form("User"),Username,1)=0 AND Request.Form("password") = Password then
'Set the validation cookie and redirect the user to the original page.
    Response.Cookies("ValidUser") = Validated
    'Check where the users are coming from within the application.
    If (Request.QueryString("from")<>"") then
	Response.Redirect Request.QueryString("from")
    else
	'If the first page that the user accessed is the Logon page,
        'direct them to the default page.
          Response.Redirect "MyPage.asp"
    End if

End if
%>
</head>
<body bgcolor="#FFFFFF">

<%=Username%>

<%If AgentBidLogin <> Emp_Id Then%>
You are not authorized to Login
<%Else%>

<FORM ACTION=<%Response.Write "Login.asp?"&Request.QueryString%> method="post">
<h3>Logon Page for MyPage.asp</h3>
<INPUT TYPE="hidden" NAME="User" VALUE="<%=Emp_Id%>" />
<INPUT TYPE="hidden" NAME="password" VALUE="<%=Emp_Id%>" />
<INPUT TYPE="submit" VALUE="Logon"></INPUT>
</FORM>

<%End If%>

</body>
</html>

Open in new window

romsomIT DeveloperAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
Quickly, on the log in page

If not EOF or NOT BOF Then UserID = Emp_Id

should probably be

set rs = Server.CreateObject("ADODB.recordset")
rs.Open "exec GetAgentBidAdmin'" & UserID & "'", conn
If not rs.EOF or NOT rs.BOF Then UserID = Emp_Id
do until rs.EOF
AgentBidLogin = rs("AgentBidLogin")
rs.MoveNext
loop
end if

Open in new window

0
Big MontySenior Web Developer / CEO of ExchangeTree.org Commented:
this line of code:

if Strcomp(Request.Form("User"),Username,1)=0 AND Request.Form("password") = Password then

Open in new window


my guess is it's failing there. where do the variables UserName and Password get set to do the check?
0
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
I think what I would do is on the log in, check to see if they are an admin.  If they are, then set a session variable to something like user type.  

On your log in page
session("UserLevel")=""
If username = user_name_look_up then
     if password = user_name_password then
         'we have a good user, set a log in cookie
          'next find their user level
                If username = admin_lookup_table then
                       session("UserLevel")="Admin" ' or whatever you want
                 end if
       end if
end if

Open in new window


Then create an include file that looks up the cookie for logged in status and where you need to test for session("UserLevel")
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

romsomIT DeveloperAuthor Commented:
<%=Emp_Id%> comes from Authentication.asp
It simply captures the logged in person's employee number.
This is why I populate the hidden username and password fields with it:

<INPUT TYPE="hidden" NAME="User" VALUE="<%=Emp_Id%>" />
<INPUT TYPE="hidden" NAME="password" VALUE="<%=Emp_Id%>" />

In a different table I'm adding the employee numbers of the users who are supposed to view the protected page. Those employee numbers come from the GetAgentBidAdmin stored procedure.

So, if the populated Emp_Id in the hidden field is not the same as AgentBidLogin then the user should not be able to view the protected page.
0
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
Some other notes about log in and look ups.  

I wouldn't trust data you can't control.  That means cookies.  If you are going to use cookies, think about encrypting them.  You can use a one way salted hash or AES. Both are available for Classic ASP.

Same with the querystring.  If you are using that to look anything up, make sure you are getting data you are expecting.
0
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
This is not too bad, but should not really be done
<INPUT TYPE="hidden" NAME="User" VALUE="<%=Emp_Id%>" />

This should never be done
<INPUT TYPE="hidden" NAME="password" VALUE="<%=Emp_Id%>" />

Remember, hidden is not really hidden.  I can then view source and look up the username and password.  What if I get up and leave for my coffee and somebody sees this page still open with data.  A curious mind views source and now they have log in credentials.

What you are starting to see today is first you enter a username and no password.  If the username matches, then you enter a password on a new page.

But you don't want to send that data back to the browser.
0
romsomIT DeveloperAuthor Commented:
Actually the User Name and Password are not a secret. Employees know who are the ones who are supposed to view the protected page. Even if they know the User Name and Password, they are not able to view the protected page, if they are not logged in to the network as the privileged person.
Let's say, the privileged person's  Emp_Id is 123456
That is also the Username and Password to see the protected page.
If you are logged in as e.g. 223344 that will not work when you click the Logon button.
You must be logged in to the system as 123456
0
romsomIT DeveloperAuthor Commented:
Even if they look up the source code they will see only their own employee numbers in these fields:
<INPUT TYPE="hidden" NAME="password" VALUE="223344" />
0
Big MontySenior Web Developer / CEO of ExchangeTree.org Commented:
getting back on track with the question, what does the stored procedure GetAgentBidAdmin return when the userID is NOT supposed to belong?
0
romsomIT DeveloperAuthor Commented:
It doesn't return anything if the logged in person is not listed in that table
0
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
>Even if they know the User Name and Password, they are not able to view the protected page, if they are not logged in to the network as the privileged person.

Are you using the Active Directory?
0
romsomIT DeveloperAuthor Commented:
It actually should be like this:
session("UserLevel")=""
If username = user_name_look_up then
     if password = user_name_password then
         'we have a good user, set a log in cookie
          'next find their user level
                If username = admin_lookup_table then
                       session("UserLevel")="Admin" ' or whatever you want
                 end if
       end if
end if
0
romsomIT DeveloperAuthor Commented:
Sorry, pasted the wrong thing
0
romsomIT DeveloperAuthor Commented:
<%
set rs = Server.CreateObject("ADODB.recordset")
rs.Open "exec GetAgentBidAdmin'" & UserID & "'", conn
do until rs.EOF
AgentBidLogin = rs("AgentBidLogin")
rs.MoveNext
loop
%>
0
romsomIT DeveloperAuthor Commented:
Yes Padas. They are already logged in to the intranet. This page cannot be accessed from outside.
0
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
Ok, what about using the Active directory to do this.  Then no log in required.  When they view a page, the AD knows the user info, you can then look up the admin info behind the scenes.
0
Big MontySenior Web Developer / CEO of ExchangeTree.org Commented:
ok this bit of code isn't correct, you just created the recordset, no need to check for if its BOF or EOF:

<%
set rs = Server.CreateObject("ADODB.recordset")
If not EOF or NOT BOF Then UserID = Emp_Id
rs.Open "exec GetAgentBidAdmin'" & UserID & "'", conn
do until rs.EOF
AgentBidLogin = rs("AgentBidLogin")
rs.MoveNext
loop
%>

Open in new window


should be

<%
set rs = Server.CreateObject("ADODB.recordset")
rs.Open "exec GetAgentBidAdmin'" & UserID & "'", conn
If not EOF or NOT rs.BOF Then
      UserID = Emp_Id
       AgentBidLogin = rs("AgentBidLogin")
end if
%>

Open in new window


since there's only one record to be returned (I'm assuming) you do not need to have a loop, just check BOF and EOF. Here, I'm assuming you want to set the USERID variable equal to Empl_ID, please correct me if I'm wrong.

no for the rest of the code, it should look something like:

If Username<>Emp_Id Then Username=Emp_Id End If
If Password<>Emp_Id Then Password=Emp_Id End If

Validated = "OK"
if Strcomp(Request.Form("User"),Username,1)=0 AND Request.Form("password") = Password then    '-- assuming this works, basic username and pw check
      if UserID = AgentBidLogin then     '-- see if they're admins
'Set the validation cookie and redirect the user to the original page.
    Response.Cookies("ValidUser") = Validated
    'Check where the users are coming from within the application.
    If (Request.QueryString("from")<>"") then
	Response.Redirect Request.QueryString("from")
    else
	'If the first page that the user accessed is the Logon page,
        'direct them to the default page.
          Response.Redirect "MyPage.asp"
    End if
    end if
End if

Open in new window


i would put in Response.Write's in each level of your IF statement and see if you get the proper values, this'll help debug easier.

I have to bow out for a bit, but I'll check back later and see how you're doing. good luck!
0
Big MontySenior Web Developer / CEO of ExchangeTree.org Commented:
Seeing how the user permissions are stored in the database, unless the user schema matches that of the AD user schema, using AD doesn't make much sense. I would stick with what you have got now, I believe you're close to getting what you need working.
0
romsomIT DeveloperAuthor Commented:
It gives me an error on line 8

Either BOF or EOF is True, or the current record has been deleted.
0
Big MontySenior Web Developer / CEO of ExchangeTree.org Commented:
change this line

If not EOF or NOT rs.BOF Then

to

If not rs.EOF or NOT rs.BOF Then

ok, now I'm out!
0
romsomIT DeveloperAuthor Commented:
Thanks Monty, it worked. Now I'm exploring the rest.
0
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
>If not rs.EOF or NOT rs.BOF Then

Yes, that is what I mentioned in my first post
0
romsomIT DeveloperAuthor Commented:
Thank you very much, this worked.
It's great that you noticed that I didn't need the loop.
Yes, only one record is supposed to be returned.
I used that code in many other pages, now I have to correct them all.

Thank you both of you for being always there for me.
0
romsomIT DeveloperAuthor Commented:
Thank you again!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.