How do you validate name and password? 1

[bigfoot]

I am building our company's web site, and I need a section that only our clients can enter, logging in with a name and password. We are running NT4 w/IIS 4.0 and ASp. What is the best way to do site security, or where can I look to find the answer.<br>
<br>
garyp@orbacom.com

 

[Guest_imported]

We use SQL Server 7.0 as our database backbone at Tri Tech Laboratories... setting up a user name password, with sequel is fairly simple, <br>
Go to

http://204.177.102.35/logon.html

for a rough example of a logon screen. I am thinking of doing it with a pop-up window, instead, but this'll give you an idea.<br>
The logon.idc script looks like this (very simple)-<br>
<br>
Datasource: Web SQL<br>
Username: WebGuest<br>
Password: Whatever<br>
Template: logon.htx<br>
SQLStatement:<br>
+SELECT UserName, UserPassword<br>
+FROM Login<br>
+WHERE UserName Like '%UserName%' <br>
<br>
The template file (logon.htx) actually does most of the work, as is shown here:<br>
<br>
&lt;%begindetail%&gt;<br>
&lt;%if LoginName EQ idc.LoginName %&gt;<br>
&lt;%if idc.Password EQ UserPassword%&gt;<br>
&lt;script Language="javascript"&gt;<br>
self.location.replace("order_lookup.html");<br>
&lt;/script&gt;<br>
&lt;%else%&gt;<br>
&lt;script&gt;<br>
self.location.replace('logon.html');<br>
&lt;/script&gt;<br>
&lt;%endif%&gt;<br>
&lt;%endif%&gt;<br>
<br>
What this trio does, basically is take the users name and password, look for a username in the SQL Database that matches (is similar to) the present user. If it finds the user it check the password field (associated in the table with the user) and sees if it matches... if so it goes on to the page you want to get to. <br>
In my little example above, if you go to the site, and enter john as the user, and bec as the password, you will be taken to the Order Lookup screen (which is another set of SQL database files <br>
<br>
If you want to you can go to Microsoft's website and download a 30 day evaluation of MS SQL 7.0, you will find that it is an excellent tool.<br>
<br>
BTW, I am also running NT Server 4.0 with IIS4.0 and have even run SQL on an old 166 with windows 95 and 32Meg ram (just for kicks). So I know that SQL will pretty much run on just about anything <br>
<br>
Anyway, didn't mean to write a book... hope this helped in some small way, if I can help anymore, just email me and I'll be glad to help.

 

[bigfoot]

Thank you for the help.<br>
<br>
But you did'nt leave me an email address to get in touch with you...??<br>
<br>
mine is garyp@orbacom.com<br>
<br>
thanks again

 

[grasupt]

Keep in mind that you should also be checking to make sure that everyone comes in thru your login screen and not directly into one of your other pages, thus bypassing the whole logon check. use a global, application or session variable and set it to some value like "passed logon" if they enter via the logon screen and are valid users.. then check on EVERY PAGE for the existance of this value. If its not there, then they bypassed your security screen and shoould be re-directed back to logon

 

[bigfoot]

That last piece was what I needed. I could not figure out what to do if they bypassed my logon screen. I will look into this more.<br>
<br>
Thanks

 

[MarkRuse]

If you are using IIS 4, The NT Security model has been integrated within it.<br>
<br>
If you try a URL to a directory or files that you don't have permission to, your browser will automatically request for user name and password that will be passed automatically through to NT on the server.<br>
<br>
I don't know if this helps you, but it has saved me a hell of a lot of time with the site I am currently developing.

 

[MarkRuse]

As an example, try this URL<br>
<br>

http://www.a-zclassifiedadverts.uk.com/admin<br>

<br>
This directory on the NT box is locked out, so you can see the response you get.

 

[bgreenhouse]

OUt of interest guys...How secure is that method? I currently set a session variable called authenticate to true when the user logs in. If authenitcate doesn't equal true on any page, they are redirected back to the login page. Is this a fairly robust security system? I always thoguht that since it was so easy, it was probably fairly susceptible...

Ben

 

[Nazgul]

Use ADSI, why not?

 

[bigfoot]

What??? The door to life is never locked, but few have the knowledge to open it.

 

[morsagmon]

If all of your environment is Microsoft based, and your Web Server is IIS, why not use its integrated mechanism for authenticating users (NT Challenge/Response). Basically what you need to do is manage your Users in an NT Domain and set the Web Server Directory Security authentication method to NT Challenge/Response.

Ofcourse, if you only manage your users in SQL DB, you cannot use this mechanism.

Mor.

 

[silvers5]

How do I control access to an area?
Creating a login for a section of your web site is fairly easy. First, create a login form (loginForm.asp):

<form action=loginHandler.asp method=post>
Username: <input type=text name='username'><BR>
Password: <input type=password name='password'><BR>
<input type=submit Value='Log In'><BR>
</form>


Next, create a login handler (loginHandler.asp):

<%
'---------------------------------------------------------
'-- check to see that the form was completely filled out--
'---------------------------------------------------------
if request.form(&quot;username&quot=&quot;&quot; or request.form(&quot;password&quot=&quot;&quot; then
response.redirect(&quot;loginForm.asp&quot
end if

'---------------------------------------------------------
'-- open your database connection and check for a record--
'---------------------------------------------------------
set conn = server.createObject(&quot;ADODB.Connection&quot
conn.open &quot;<insert connection string here>&quot;
u = lcase(request.form(&quot;username&quot)
p = lcase(request.form(&quot;password&quot)
sql = &quot;select lin = count(username) from logintable where lower(&quot;
sql = sql &amp; &quot;username)='&quot; &amp; u &amp; &quot;' and lower(password)='&quot; &amp; p &amp; &quot;'&quot;
set rs = conn.execute(sql)

'--------------------------------------------------------
'-- Decide whether to let them in --
'--------------------------------------------------------
if rs(&quot;lin&quot<>1 then
'access Denied
response.redirect (&quot;loginForm.asp&quot
end if
session(&quot;login&quot=true
response.redirect (&quot;hiThere.asp&quot
%>


Finally, at the top of each page, you test the session variable that you assigned in the script above:

<%
if not session(&quot;login&quot then
response.redirect(&quot;loginForm.asp&quot
end if
%>


from

http://www.aspquestions.com

 

[bigfoot]

I don't want to have another set of names and passwords.
Ohmygosh! That would be a nightmare! The employees change their passwords too often.
This is an Intranet. I just want my internal people to see it. Also, I have a few salespeople w/laptops that need to see it, and I need a way to secure the whole site only to all inside people; just the salesmen on the outside; and part of the site needs to be locked out to only managers.

Boy, what a job.

Thank you all, ahead of time for any suggestions.

BTW: I'm sorry if that sounded krass, I did'nt mean for it to.


The door to life is never locked, but few have the knowledge to open it.

 

[silvers5]

I'm using my solution to secure access to our Backoffice site, only the IT departement can access the site, other employers are restricted to some areas or fully restricted to access..
you'll need both ways a database to store access rights informations

rgrds Silvers5 aka El-pirate
As seen on

http://www.Experts-exchange.com

 

[bigfoot]

Hi Silvers5, I like your way but then I have to duplicate my user table. I was thinking... If I used NT on the networking end, and your way on the validation end, then all I would need id the user name which they can't change in NT anyway.

I still think there's a better way. The door to life is never locked, but few have the knowledge to open it.

 

[silvers5]

You'll give them same usernames but another set of passwords or same passwords and this is the only effective way to do it! you can try to use the

http://www.aspuser.com/

component to fetch passwords from NT accounts and synchronise them with the database each while (automate it)

rgrds Silvers5 aka El-pirate
As seen on

http://www.Experts-exchange.com

 

[bigfoot]

Oooooooo That's cool!
I think I need to look into AspUser at least for the moment.
But I also like MarkRuse's example, but I need to look it up to see how to do it.

So many options. Can't use MS challange/response; my Apple people will bit&amp;$.

Gary
The door to life is never locked, but few have the knowledge to open it.

 

[bigfoot]

Challange/Response does not work with my MAC people. We tried MS ie and Netscape. I don't know why.
I'm going to try to use NT security. The door to life is never locked, but few have the knowledge to open it.