ASP login page not woring well

I am trying to create a new login page from scratch using Microsoft KB: https://support.microsoft.com/en-us/kb/299987

I modified the code to match my connections and database but it still always redirects me to incorrect password.

My DB table is:  blueformsemailed
the username field in that table is: code1)
the password field in that table is:  code2)

the connection string is in an include file, below is the include file:

<!--#include file="../Connections/bdotread.asp" -->

I am encrypting the value of password because code2 is encrypted in the database. This is already tested and is not the issue. I am missing something in the code below.

that file code is:

<%
' FileName="Connection_odbc_conn_dsn.htm"
' Type="ADO" 
' DesigntimeType="ADO"
' HTTP="false"
' Catalog=""
' Schema=""
Dim MM_bdotread_STRING
MM_bdotread_STRING = "dsn=XXX;uid=XXX;pwd=XXXX;"
%>

Open in new window


The login page passes two values to the validate.asp page, those are:

uid (for the username to be compare to the 'code1'
password (for the password to be compared to 'code2'

This is validate.asp

<%@LANGUAGE="VBSCRIPT" CODEPAGE="65001"%>
<!DOCTYPE html>

<!--#BlueDot Include files-->
<!--#include file="../includes/bdot/EnDe.asp"-->
<!--#include file="../includes/bdot/Validates.js"-->

 
<%
Response.Buffer=true

'The following three lines of code are used to make sure that this page is not cached on the client.
Response.CacheControl = "no-cache"
Response.AddHeader "Pragma", "no-cache"
Response.Expires = -1

Dim userid
Dim Pwd
'Assign the user ID to this variable. The user provides the user ID.
userid= Request.Form("UID")
'Check whether userid is an empty string. If it is empty, redirect to Logon.asp.
'If it is not empty, connect to the database, and validate the user.

if userid <> "" then
    pwd = EncrytPswd(Request.Form("passwd"))
	
    Dim Cn
    Dim RsOne
    Dim StrConnect

'Specify the connection string to access the database.
'Remember to change the following connection string parameters to reflect the correct values
'for your SQL server.
<!--#include file="../Connections/bdotread.asp" -->

    Set Cn = Server.CreateObject("ADODB.Connection")
    Cn.Open StrConnect
    Set Rs = Server.CreateObject("ADODB.Recordset")
    Rs.Open "Select * from blueformsemailed where uid='" & code1 & "'",Cn
'Check to see whether this user ID exists in your database.
    If Not Rs.EOF then
        If strcomp( pwd, Rs.Fields("code2").value , 1) = 0 then
'Password is correct. Set a session variable, and redirect the user to a Default.asp page
'or the main page in your application.
            Session("UID") = userid
			Session("PermissionGroup")="blueforms"
 			Session("codeid")=id
            Response.Redirect "default.asp"
            Response.End
        Else
'Password is incorrect. Redirect the user to the logon page.
            Response.Redirect "login_error.asp"
            Response.End
        End if
    Else
'If the user is not in your database, point him or her to the Register.asp page
'so that he or she can register at your Web site to access your application.
        Response.Redirect "login_error.asp"
        Response.End
    End if
Else
    Response.Redirect "login_error.asp"
    Response.End
End if

%>



<html>
<head>
<meta charset="utf-8">
<title>Untitled Document</title>
</head>

<body>
</body>
</html>

Open in new window



Your help is GREATLY appreciated !!!
LVL 1
AleksAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AleksAuthor Commented:
Please let me know if I need to post more information.
sammySeltzerCommented:
So, what is the problem though?
AleksAuthor Commented:
It's not validating the user and password correctly. It always sends me to the incorrect password page even though they are correct
OWASP Proactive Controls

Learn the most important control and control categories that every architect and developer should include in their projects.

Shaun KlineLead Software EngineerCommented:
Have you confirmed that your validate.asp page is receiving the entered values correctly?

Have you determined which path the logic is following? One way to do that is to use Response.Write to send generic text, different per IF / Else branch, to the page instead of performing the Redirect. This would at least narrow down where the error in your logic is occurring.
AleksAuthor Commented:
The login page sends the values correctly. I don't know how to check on if validate.asp is retrieving the values from the database correctly, I think this is where the issue is. Can you help with this ?
sammySeltzerCommented:
Why not try something like this first and see if you are getting values for both username and password.

First of all, why are you not using password as parameter?

		SQL = "Select * from blueformsemailed where uid='" & code1 & "' AND password = '" & pwd & "'"
		    response.Write SQL
		    response.end
		Set RS = Cn.Execute(SQL)
		If RS.EOF Then
			RS.close
			Cn.Close
			'login name not found or incorrect login
			response.Redirect "login.aspx"
		End If

Open in new window

AleksAuthor Commented:
I am just using the code I found online. Where should I insert the above code ?
sammySeltzerCommented:
You probably need a few changes here and there as I did not test this.

<%@LANGUAGE="VBSCRIPT" CODEPAGE="65001"%>
<!DOCTYPE html>

<!--#BlueDot Include files-->
<!--#include file="../includes/bdot/EnDe.asp"-->
<!--#include file="../includes/bdot/Validates.js"-->

 
<%
Response.Buffer=true

'The following three lines of code are used to make sure that this page is not cached on the client.
Response.CacheControl = "no-cache"
Response.AddHeader "Pragma", "no-cache"
Response.Expires = -1

Dim userid
Dim Pwd
'Assign the user ID to this variable. The user provides the user ID.
userid= Request.Form("UID")
'Check whether userid is an empty string. If it is empty, redirect to Logon.asp.
'If it is not empty, connect to the database, and validate the user.

if userid <> "" then
    pwd = EncrytPswd(Request.Form("passwd"))
	
    Dim Cn
    Dim RsOne
    Dim StrConnect

'Specify the connection string to access the database.
'Remember to change the following connection string parameters to reflect the correct values
'for your SQL server.
<!--#include file="../Connections/bdotread.asp" -->

    Cn.Open StrConnect
   Set Cn = Server.CreateObject("ADODB.Connection")

   SQL = "Select * from blueformsemailed where uid='" & userid & "' AND password = '" & pwd & "'"
    response.Write SQL
    response.end
   Set RS = Cn.Execute(SQL)
   If RS.EOF Then
    RS.close
    Cn.Close
    'login name not found or incorrect login
    response.Redirect "login_error.aspx"
    response.End
    Else
     Session("UID") = userid
     Session("PermissionGroup")="blueforms"
     Session("codeid")=id
     Response.Redirect "default.asp"
     Response.End
   End If
%>

<html>
<head>
<meta charset="utf-8">
<title>Untitled Document</title>
</head>

<body>
</body>
</html>

Open in new window

AleksAuthor Commented:
Gave me this error on validate.asp

Microsoft VBScript compilation  error '800a03f6'

Expected 'End'

/bluedot/blueforms/validate.asp, line 55
AleksAuthor Commented:
Also another problem I noticed is at the top of validate it shows the username and the password:

http://localhost/bluedot/blueforms/validate.asp?UID=5@Ysq%26j5Rm&passwd=qrm*I2*m6P

before redirecting, is it  possible to avoid this showing ?  I think it may be an issue.
sammySeltzerCommented:
<%@LANGUAGE="VBSCRIPT" CODEPAGE="65001"%>
<!DOCTYPE html>

<!--#BlueDot Include files-->
<!--#include file="../includes/bdot/EnDe.asp"-->
<!--#include file="../includes/bdot/Validates.js"-->

 
<%
Response.Buffer=true

'The following three lines of code are used to make sure that this page is not cached on the client.
Response.CacheControl = "no-cache"
Response.AddHeader "Pragma", "no-cache"
Response.Expires = -1

Dim userid
Dim Pwd
'Assign the user ID to this variable. The user provides the user ID.
userid= Request.Form("UID")
'Check whether userid is an empty string. If it is empty, redirect to Logon.asp.
'If it is not empty, connect to the database, and validate the user.

if userid <> "" then
    pwd = EncrytPswd(Request.Form("passwd"))
	
    Dim Cn
    Dim RsOne
    Dim StrConnect

'Specify the connection string to access the database.
'Remember to change the following connection string parameters to reflect the correct values
'for your SQL server.
<!--#include file="../Connections/bdotread.asp" -->

    Cn.Open StrConnect
   Set Cn = Server.CreateObject("ADODB.Connection")

   SQL = "Select * from blueformsemailed where uid='" & userid & "' AND password = '" & pwd & "'"
   ' response.Write SQL
   ' response.end
   Set RS = Cn.Execute(SQL)
   If RS.EOF Then
    RS.close
    Cn.Close
    'login name not found or incorrect login
    response.Redirect "login_error.aspx"
    response.End
    Else
     Session("UID") = userid
     Session("PermissionGroup")="blueforms"
     Session("codeid")=id
     Response.Redirect "default.asp"
     Response.End
   End If
End If
%>

<html>
<head>
<meta charset="utf-8">
<title>Untitled Document</title>
</head>

<body>
</body>
</html>

Open in new window

AleksAuthor Commented:
I changed the code to request only, for some reason request.form was not getting any values.

Once I fixed this I get this error:

Microsoft VBScript runtime  error '800a01a8'

Object required: ''

/bluedot/blueforms/validate.asp, line 36

line 36 is:      Cn.Open StrConnect

I changed my code to include the connection string instead of my own connection.

<%@LANGUAGE="VBSCRIPT" CODEPAGE="65001"%>
<!DOCTYPE html>

<!--#BlueDot Include files-->
<!--#include file="../includes/bdot/EnDe.asp"-->
<!--#include file="../includes/bdot/Validates.js"-->

 
<%
Response.Buffer=true

'The following three lines of code are used to make sure that this page is not cached on the client.
Response.CacheControl = "no-cache"
Response.AddHeader "Pragma", "no-cache"
Response.Expires = -1

Dim userid
Dim Pwd
'Assign the user ID to this variable. The user provides the user ID.
userid= Request("UID")
'Check whether userid is an empty string. If it is empty, redirect to Logon.asp.
'If it is not empty, connect to the database, and validate the user.

if userid <> "" then
    pwd = EncrytPswd(Request("passwd"))
	
    Dim Cn
    Dim RsOne
    Dim StrConnect

'Specify the connection string to access the database.
'Remember to change the following connection string parameters to reflect the correct values
'for your SQL server.
    StrConnect = "Provider=SQLOLEDB.1;User ID=XXX;Password=XXXXX;Initial Catalog=pubs;" & _
    "Network Library=dbmssocn;Data Source=BDot\SQLExpress"

    Cn.Open StrConnect
   Set Cn = Server.CreateObject("ADODB.Connection")

   SQL = "Select * from blueformsemailed where uid='" & userid & "' AND password = '" & pwd & "'"
   ' response.Write SQL
   ' response.end
   Set RS = Cn.Execute(SQL)
   If RS.EOF Then
    RS.close
    Cn.Close
    'login name not found or incorrect login
    response.Redirect "login_error.aspx"
    response.End
    Else
     Session("UID") = userid
     Session("PermissionGroup")="blueforms"
     Session("codeid")=id
     Response.Redirect "default.asp"
     Response.End
   End If
End If
%>

<html>
<head>
<meta charset="utf-8">
<title>Untitled Document</title>
</head>

<body>
<p>request uid = <%=Request("UID")%> </p>
<p>request pwd =<%=Request("passwd")%></p>
<p> Session(&quot;UID&quot;) = <%=Session("UID")%><br>
Session(&quot;PermissionGroup&quot;)= <%=Session("PermissionGroup")%><br>
Session(&quot;codeid&quot;)=<%=Session("codeid")%></p>
</body>
</html>

Open in new window

sammySeltzerCommented:
    Set Cn = Server.CreateObject("ADODB.Connection")
    Cn.Open StrConnect
   SQL = "Select * from blueformsemailed where uid='" & userid & "' AND password = '" & pwd & "'"
   ' response.Write SQL
   ' response.end
   Set RS = Cn.Execute(SQL)
   If RS.EOF Then
 rest of code

Open in new window

AleksAuthor Commented:
I still get this error:

Microsoft VBScript runtime  error '800a01a8' 

Object required: '' 

/bluedot/blueforms/validate.asp, line 37 

Open in new window



I updated the code as requested. This is my code with the string included.

<%@LANGUAGE="VBSCRIPT" CODEPAGE="65001"%>
<!DOCTYPE html>

<!--#BlueDot Include files-->
<!--#include file="../includes/bdot/EnDe.asp"-->
<!--#include file="../includes/bdot/Validates.js"-->

 
<%
Response.Buffer=true

'The following three lines of code are used to make sure that this page is not cached on the client.
Response.CacheControl = "no-cache"
Response.AddHeader "Pragma", "no-cache"
Response.Expires = -1

Dim userid
Dim Pwd
'Assign the user ID to this variable. The user provides the user ID.
userid= Request("UID")
'Check whether userid is an empty string. If it is empty, redirect to Logon.asp.
'If it is not empty, connect to the database, and validate the user.

if userid <> "" then
    pwd = EncrytPswd(Request("passwd"))
	
    Dim Cn
    Dim RsOne
    Dim StrConnect

'Specify the connection string to access the database.
'Remember to change the following connection string parameters to reflect the correct values
'for your SQL server.
    StrConnect = "Provider=SQLOLEDB.1;User ID=bluedotrw;Password=XXX!@;Initial Catalog=pubs;" & _
    "Network Library=dbmssocn;Data Source=bluedotrw"

    Cn.Open StrConnect
       Set Cn = Server.CreateObject("ADODB.Connection")
    Cn.Open StrConnect
   SQL = "Select * from blueformsemailed where uid='" & userid & "' AND password = '" & pwd & "'"
   ' response.Write SQL
   ' response.end
   Set RS = Cn.Execute(SQL)
   If RS.EOF Then
     RS.close
    Cn.Close
    'login name not found or incorrect login
    response.Redirect "login_error.aspx"
    response.End
    Else
     Session("UID") = userid
     Session("PermissionGroup")="blueforms"
     Session("codeid")=id
     Response.Redirect "default.asp"
     Response.End
   End If
End If
%>

<html>
<head>
<meta charset="utf-8">
<title>Untitled Document</title>
</head>

<body>

</body>
</html>

Open in new window

sammySeltzerCommented:
You need to remove this code from line 37:

Cn.Open StrConnect

I You can see the same code on line 39.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AleksAuthor Commented:
Microsoft OLE DB Provider for SQL Server error '80004005' 

[DBNETLIB][ConnectionOpen (Connect()).]Specified SQL server not found. 

/bluedot/blueforms/validate.asp, line 39

Open in new window


I tried entering the ODBC name and the SQL server name on line 35. Neither worked.
I also tried using the include file I use everywhere else.

then I get :  

Microsoft OLE DB Provider for ODBC Drivers error '80004005' 

[Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified 

/bluedot/blueforms/validate.asp, line 38

Open in new window


Alternatively the include file uses ODBC connection with this (I was hoping to use the include file instead of the connection string in the page).
As you can see the ODBC DOES exist even though the error says:  Data source name not found and no default driver specified

<%
' FileName="Connection_odbc_conn_dsn.htm"
' Type="ADO" 
' DesigntimeType="ADO"
' HTTP="false"
' Catalog=""
' Schema=""
Dim MM_bdotread_STRING
MM_bdotread_STRING = "dsn=bluedotrw;uid=bluedotrw;pwd=XXX!@;"
%>

Open in new window


Perhaps we are using the wrong library type for the string connection ?  Can we use an ODBC connection type ?
ODBC.PNG
servername.PNG
AleksAuthor Commented:
I made the following changes:

'Specify the connection string to access the database.
'Remember to change the following connection string parameters to reflect the correct values
'for your SQL server.
    StrConnect  = "dsn=bluedotrw;uid=bluedotrw;pwd=lotus99minyu2015!@;"

       Set Cn = Server.CreateObject("ADODB.Connection")
    Cn.Open StrConnect
   SQL = "Select * from blueformsemailed where code1='" & userid & "' AND code2 = '" & pwd & "'"

Open in new window


After logging in I got no results, this is because line 51 did not assign the value to the session "codeid" to the ID of the matching column of the code1 and code2 matching username and password.

How can I get the value of the column 'id'  of the row that matches the username/password that the user entered ?  without it I can't display the necessary data.

Line 51:  Session("codeid")=id
AleksAuthor Commented:
Got it to work, thanks for all the help.
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
I know this is after the fact, but I have a working sample for a log in system http://www.experts-exchange.com/articles/18259/User-Log-In-Using-A-Token.html
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP

From novice to tech pro — start learning today.