I had to migrate a down web server to new hardware and subsequently have had to use slightly newer version of IIS, MS SQL Server etc.
I'm so close...
Earlier I mistakenly believed that all pages that INSERT or UPDATE were causing the application to boot me out to the login page. Instead I've now isolated two related (?) pieces of code that I can remove or alter to finally get different results than I've been getting!
On one page of the application, after the page load, all I had to do was refresh the page, and I would get booted out with my session expired. But when I removed this authentication/redirect code,
' *** Restrict Access To Page: Grant or deny access to this page
If Session("MM_Username") <> "" Then
If (true Or CStr(Session("MM_UserAuthorization"))="") Or _
MM_grantAccess = true
If Not MM_grantAccess Then
MM_qsChar = "?"
If (InStr(1,MM_authFailedURL,"?") >= 1) Then MM_qsChar = "&"
MM_referrer = Request.ServerVariables("URL")
if (Len(Request.QueryString()) > 0) Then MM_referrer = MM_referrer & "?" & Request.QueryString()
MM_authFailedURL = MM_authFailedURL & MM_qsChar & "accessdenied=" & Server.URLEncode(MM_referrer)
...I could then refresh as much as I wanted. However if I changed any form fields and submitted an UPDATE request, it would boot me out AFTER saving my changes. I think it was booting me out during these lines of code:
if request("from") <> "" then
MM_editRedirectUrl = request("from")& ".asp"
MM_editRedirectUrl = "estimate_manager_completed.asp"
If (Request.QueryString <> "") Then
If (InStr(1, MM_editRedirectUrl, "?", vbTextCompare) = 0) Then
MM_editRedirectUrl = MM_editRedirectUrl & "?" & Request.QueryString
MM_editRedirectUrl = MM_editRedirectUrl & "&" & Request.QueryString
The common theme is redirect and specifically we've been successfully manipulating the URL redirect strings to use them for "smarter" redirect.
For example, we tell a page from where the user came, so that when they UPDATE the record, we redirect them to the page they were on. In the authentication failure redirect, we are building a string we append that tells our login page from where the user came. Same idea.
This is just my current hunch, but the bottom line is, I can INSERT and UPDATE records with impunity, if I don't check for one of those "from" strings in the arrival URL on the page. I can refresh the page with impunity, if I remove the authentication check that includes that string-building add-on.
Just as a reminder - this all worked great on our old server, but I'm wondering if a previous developer may have added some library or configuration change that would handle things like URLEncoded values being passed as part of a redirect.
Any of this sound like I'm close? Any new suggestions?