[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Password protection with Classic ASP

Posted on 2014-08-12
25
Medium Priority
?
554 Views
Last Modified: 2014-08-16
Hi Experts,
I need to password protect some pages, but I don't want users type in the User Name and Password.
Instead, I capture their Logon details (Emp_Id). If the Emp_Id corresponds to AgentBidLogin they should be able to view the protected page. The problem is that users are directed to the login page only if their employee numbers (AgentBidLogin) are stored in the Administration table. If they are not added to the admin list, it lets them view the protected page without being directed to the login page. I'm not sure what the problem is with my code. I would appreciate your help. Please see attached the code of the protected page and the code of the login page.
<%
Validated = "OK"
if Request.Cookies("ValidUser") <> Validated then
'Construct the URL for the current page.
    dim s
    s = "http://"
    s = s & Request.ServerVariables("HTTP_HOST")
    s = s & Request.ServerVariables("URL")
    if Request.QueryString.Count > 0 THEN
	s = s & "?" & Request.QueryString
    end if
    'Redirect unauthorized users to the logon page.
    Response.Redirect "login.asp?from=" &Server.URLEncode(s)
End if
%>

<html>
<head>
<title>My Protected Page</title>
</head>
<body>
<p align="center">This is my secret information</p>
</body>
</html>

Open in new window

Login page:
<!-- #include virtual="/SOC/AgentBid/includes/Authentication.asp" -->
<%
set rs = Server.CreateObject("ADODB.recordset")
If not EOF or NOT BOF Then UserID = Emp_Id
rs.Open "exec GetAgentBidAdmin'" & UserID & "'", conn
do until rs.EOF
AgentBidLogin = rs("AgentBidLogin")
rs.MoveNext
loop
%>

<html>
<head>
<title>Logon Form</title>
<%
If Username<>Emp_Id Then Username=Emp_Id End If
If Password<>Emp_Id Then Password=Emp_Id End If

Validated = "OK"
if Strcomp(Request.Form("User"),Username,1)=0 AND Request.Form("password") = Password then
'Set the validation cookie and redirect the user to the original page.
    Response.Cookies("ValidUser") = Validated
    'Check where the users are coming from within the application.
    If (Request.QueryString("from")<>"") then
	Response.Redirect Request.QueryString("from")
    else
	'If the first page that the user accessed is the Logon page,
        'direct them to the default page.
          Response.Redirect "MyPage.asp"
    End if

End if
%>
</head>
<body bgcolor="#FFFFFF">

<%=Username%>

<%If AgentBidLogin <> Emp_Id Then%>
You are not authorized to Login
<%Else%>

<FORM ACTION=<%Response.Write "Login.asp?"&Request.QueryString%> method="post">
<h3>Logon Page for MyPage.asp</h3>
<INPUT TYPE="hidden" NAME="User" VALUE="<%=Emp_Id%>" />
<INPUT TYPE="hidden" NAME="password" VALUE="<%=Emp_Id%>" />
<INPUT TYPE="submit" VALUE="Logon"></INPUT>
</FORM>

<%End If%>

</body>
</html>

Open in new window

0
Comment
Question by:romsom
  • 12
  • 7
  • 5
24 Comments
 
LVL 54

Expert Comment

by:Scott Fell, EE MVE
ID: 40255968
Quickly, on the log in page

If not EOF or NOT BOF Then UserID = Emp_Id

should probably be

set rs = Server.CreateObject("ADODB.recordset")
rs.Open "exec GetAgentBidAdmin'" & UserID & "'", conn
If not rs.EOF or NOT rs.BOF Then UserID = Emp_Id
do until rs.EOF
AgentBidLogin = rs("AgentBidLogin")
rs.MoveNext
loop
end if

Open in new window

0
 
LVL 34

Expert Comment

by:Big Monty
ID: 40255971
this line of code:

if Strcomp(Request.Form("User"),Username,1)=0 AND Request.Form("password") = Password then

Open in new window


my guess is it's failing there. where do the variables UserName and Password get set to do the check?
0
 
LVL 54

Accepted Solution

by:
Scott Fell,  EE MVE earned 1000 total points
ID: 40256001
I think what I would do is on the log in, check to see if they are an admin.  If they are, then set a session variable to something like user type.  

On your log in page
session("UserLevel")=""
If username = user_name_look_up then
     if password = user_name_password then
         'we have a good user, set a log in cookie
          'next find their user level
                If username = admin_lookup_table then
                       session("UserLevel")="Admin" ' or whatever you want
                 end if
       end if
end if

Open in new window


Then create an include file that looks up the cookie for logged in status and where you need to test for session("UserLevel")
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:romsom
ID: 40256012
<%=Emp_Id%> comes from Authentication.asp
It simply captures the logged in person's employee number.
This is why I populate the hidden username and password fields with it:

<INPUT TYPE="hidden" NAME="User" VALUE="<%=Emp_Id%>" />
<INPUT TYPE="hidden" NAME="password" VALUE="<%=Emp_Id%>" />

In a different table I'm adding the employee numbers of the users who are supposed to view the protected page. Those employee numbers come from the GetAgentBidAdmin stored procedure.

So, if the populated Emp_Id in the hidden field is not the same as AgentBidLogin then the user should not be able to view the protected page.
0
 
LVL 54

Expert Comment

by:Scott Fell, EE MVE
ID: 40256013
Some other notes about log in and look ups.  

I wouldn't trust data you can't control.  That means cookies.  If you are going to use cookies, think about encrypting them.  You can use a one way salted hash or AES. Both are available for Classic ASP.

Same with the querystring.  If you are using that to look anything up, make sure you are getting data you are expecting.
0
 
LVL 54

Expert Comment

by:Scott Fell, EE MVE
ID: 40256019
This is not too bad, but should not really be done
<INPUT TYPE="hidden" NAME="User" VALUE="<%=Emp_Id%>" />

This should never be done
<INPUT TYPE="hidden" NAME="password" VALUE="<%=Emp_Id%>" />

Remember, hidden is not really hidden.  I can then view source and look up the username and password.  What if I get up and leave for my coffee and somebody sees this page still open with data.  A curious mind views source and now they have log in credentials.

What you are starting to see today is first you enter a username and no password.  If the username matches, then you enter a password on a new page.

But you don't want to send that data back to the browser.
0
 

Author Comment

by:romsom
ID: 40256047
Actually the User Name and Password are not a secret. Employees know who are the ones who are supposed to view the protected page. Even if they know the User Name and Password, they are not able to view the protected page, if they are not logged in to the network as the privileged person.
Let's say, the privileged person's  Emp_Id is 123456
That is also the Username and Password to see the protected page.
If you are logged in as e.g. 223344 that will not work when you click the Logon button.
You must be logged in to the system as 123456
0
 

Author Comment

by:romsom
ID: 40256062
Even if they look up the source code they will see only their own employee numbers in these fields:
<INPUT TYPE="hidden" NAME="password" VALUE="223344" />
0
 
LVL 34

Expert Comment

by:Big Monty
ID: 40256063
getting back on track with the question, what does the stored procedure GetAgentBidAdmin return when the userID is NOT supposed to belong?
0
 

Author Comment

by:romsom
ID: 40256079
It doesn't return anything if the logged in person is not listed in that table
0
 
LVL 54

Expert Comment

by:Scott Fell, EE MVE
ID: 40256101
>Even if they know the User Name and Password, they are not able to view the protected page, if they are not logged in to the network as the privileged person.

Are you using the Active Directory?
0
 

Author Comment

by:romsom
ID: 40256108
It actually should be like this:
session("UserLevel")=""
If username = user_name_look_up then
     if password = user_name_password then
         'we have a good user, set a log in cookie
          'next find their user level
                If username = admin_lookup_table then
                       session("UserLevel")="Admin" ' or whatever you want
                 end if
       end if
end if
0
 

Author Comment

by:romsom
ID: 40256110
Sorry, pasted the wrong thing
0
 

Author Comment

by:romsom
ID: 40256111
<%
set rs = Server.CreateObject("ADODB.recordset")
rs.Open "exec GetAgentBidAdmin'" & UserID & "'", conn
do until rs.EOF
AgentBidLogin = rs("AgentBidLogin")
rs.MoveNext
loop
%>
0
 

Author Comment

by:romsom
ID: 40256117
Yes Padas. They are already logged in to the intranet. This page cannot be accessed from outside.
0
 
LVL 54

Expert Comment

by:Scott Fell, EE MVE
ID: 40256133
Ok, what about using the Active directory to do this.  Then no log in required.  When they view a page, the AD knows the user info, you can then look up the admin info behind the scenes.
0
 
LVL 34

Assisted Solution

by:Big Monty
Big Monty earned 1000 total points
ID: 40256136
ok this bit of code isn't correct, you just created the recordset, no need to check for if its BOF or EOF:

<%
set rs = Server.CreateObject("ADODB.recordset")
If not EOF or NOT BOF Then UserID = Emp_Id
rs.Open "exec GetAgentBidAdmin'" & UserID & "'", conn
do until rs.EOF
AgentBidLogin = rs("AgentBidLogin")
rs.MoveNext
loop
%>

Open in new window


should be

<%
set rs = Server.CreateObject("ADODB.recordset")
rs.Open "exec GetAgentBidAdmin'" & UserID & "'", conn
If not EOF or NOT rs.BOF Then
      UserID = Emp_Id
       AgentBidLogin = rs("AgentBidLogin")
end if
%>

Open in new window


since there's only one record to be returned (I'm assuming) you do not need to have a loop, just check BOF and EOF. Here, I'm assuming you want to set the USERID variable equal to Empl_ID, please correct me if I'm wrong.

no for the rest of the code, it should look something like:

If Username<>Emp_Id Then Username=Emp_Id End If
If Password<>Emp_Id Then Password=Emp_Id End If

Validated = "OK"
if Strcomp(Request.Form("User"),Username,1)=0 AND Request.Form("password") = Password then    '-- assuming this works, basic username and pw check
      if UserID = AgentBidLogin then     '-- see if they're admins
'Set the validation cookie and redirect the user to the original page.
    Response.Cookies("ValidUser") = Validated
    'Check where the users are coming from within the application.
    If (Request.QueryString("from")<>"") then
	Response.Redirect Request.QueryString("from")
    else
	'If the first page that the user accessed is the Logon page,
        'direct them to the default page.
          Response.Redirect "MyPage.asp"
    End if
    end if
End if

Open in new window


i would put in Response.Write's in each level of your IF statement and see if you get the proper values, this'll help debug easier.

I have to bow out for a bit, but I'll check back later and see how you're doing. good luck!
0
 
LVL 34

Expert Comment

by:Big Monty
ID: 40256152
Seeing how the user permissions are stored in the database, unless the user schema matches that of the AD user schema, using AD doesn't make much sense. I would stick with what you have got now, I believe you're close to getting what you need working.
0
 

Author Comment

by:romsom
ID: 40256160
It gives me an error on line 8

Either BOF or EOF is True, or the current record has been deleted.
0
 
LVL 34

Expert Comment

by:Big Monty
ID: 40256169
change this line

If not EOF or NOT rs.BOF Then

to

If not rs.EOF or NOT rs.BOF Then

ok, now I'm out!
0
 

Author Comment

by:romsom
ID: 40256181
Thanks Monty, it worked. Now I'm exploring the rest.
0
 
LVL 54

Expert Comment

by:Scott Fell, EE MVE
ID: 40256220
>If not rs.EOF or NOT rs.BOF Then

Yes, that is what I mentioned in my first post
0
 

Author Comment

by:romsom
ID: 40256278
Thank you very much, this worked.
It's great that you noticed that I didn't need the loop.
Yes, only one record is supposed to be returned.
I used that code in many other pages, now I have to correct them all.

Thank you both of you for being always there for me.
0
 

Author Closing Comment

by:romsom
ID: 40265093
Thank you again!
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently decide that I needed a way to make my pages scream on the net.   While searching around how I can accomplish this I stumbled across a great article that stated "minimize the server requests." I got to thinking, hey, I use more than one…
Have you ever needed to get an ASP script to wait for a while? I have, just to let something else happen. Or in my case, to allow other stuff to happen while I was murdering my MySQL database with an update. The Original Issue This was written…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question