How to restrict page access

[tabbytab]

Hi Guys.

I need to devise a way that would stop someone being able to access my pages unless an authorized user. I am assuming that my clients (or at least some of them) will have cookies disabled (probably an internal IT policy)so I cannot use session variables.

Is there an easy obvious way ?

Currently my users login by details entered on a page login.asp which upon submission are validated on validate.asp against a MySql db, the user is sent back to login.asp if unsuccessfull.

I current use Request.Form to pickup details from previous page. Is this safe or can abusers see these details. Could I just keep passing a 'hidden' input and check at the begining of each page that this held an expected value?


Blimey, I hope the above makes sense!
As always - many thanks in advance
tabbytab

 

[russellhancock]

The hidden form field is easy to hack, you just post your own form to the destination page.

The only way to do this succesfully is with some form of session value.

You could try it in an application array that checks which users are logged in but that will be VERY server intensive.

Can you not ask your users to enable cookies?

Cheers

Russell

 

[mwolf00]

You could just disallow annonymous access in IIS. Then users would see a windows login screen when the attempt to access the site.

You would need to create an account on the web server for them to log in as (either one per individual or one for the whole thing).

Programming today is a race between software engineers striving to build better and bigger idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. - Rick Cook

 

[bslintx]

if on an intranet and each user has a "profile" in database...for example name/phone/logon name then you can use Request.ServerVariables("LOGON_USER")

this can be entered into the database automatically w/o user intervention on intial profile form...then when they come back use the LOGON_USER to compare their UNIQUE windows authenticated logon w/ databse. This is assuming you are on an intranet and your folks are on a win environment.

example:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
 <head>
  <meta HTTP-EQUIV="Content-Type" content="text/html; charset=ISO-8859-1">
   </head>
 <body>
  
<%
  'dbconnection
 
  logon=Request.ServerVariables("LOGON_USER")

  strSQL="SELECT Logon FROM tblUsers WHERE Logon='" & logon & "';"
  objRS.Open strSQL, objConn

  If objRS.EOF Then
	Response.Write "<p>You do not have access to use this database</p>"
objRS.Close	
Response.Redirect "user_profile.asp"	       
  Else
  	'code for page
 End If
%>

 

[bslintx]

ooops......the objRS.EOF will work but...hehehe...you'd have to have a speedreader to catch the message...please disregard the message ....it will simply redirect to logon page