Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Problem with Sessions 1

Status
Not open for further replies.
Rexolio

Rexolio

Technical User
Aug 29, 2001
230
I'm using a session for a secure area of my site. If the user logs in with the correct password, the session

PASSWORD PROCESS ASP***************************************
if Password = "test56" then
Session("authorized") = 1
Response.redirect ("main.asp?UID=" & UserID & "")
else
Session("authorized") = 0
Response.redirect ("entry.asp?ErMsg=Incorrect~Password")
end if

PROTECTED PAGE ********************************************
if Session(&quot;authorized&quot;) <> 1 then
Response.redirect (&quot;entry.asp?ErMsg=Session~Timeout&quot;)
end if

I now see the need to tighten up my security. As it is, the User ID gives users their account information. However, once in the protected area, you can easily change the UID in the address field on the browser to be a different number, and if that number is a valid UID, then someone else's account info displays.

I've tried doing the following:

PASSWORD PROCESS ASP***************************************
if Password = &quot;test56&quot; then
Session(&quot;authorized&quot;) = UID
Response.redirect (&quot;main.asp?UID=&quot; & UserID & &quot;&quot;)
else
Session(&quot;authorized&quot;) = 0
Response.redirect (&quot;entry.asp?ErMsg=Incorrect~Password&quot;)
end if

PROTECTED PAGE ********************************************
if Session(&quot;authorized&quot;) <> UID then
Response.redirect (&quot;entry.asp?ErMsg=Session~Timeout&quot;)
end if

However, everytime I try to login in I get thrown back to the entry.asp page with the message &quot;Session Timeout&quot;. I figured this would work after the login page because if a user changes the UID number, the session value would still be the original UID, therefore when the changed UID didn't match it would throw them back to the sign in page.

Can anyone help?

Thanks!
Rexolio
 
Sort by date Sort by votes
Hi

Just a quick question - in the protected page you are checking the session against a variable called UID, have you already established the value of that variable using something like:

UID = Request.querystring(&quot;UID&quot;)

If you haven't that'll be your problem, you are assuming that the querystring parameter is already been picked up by the VBScript. Derren
[The only person in the world to like Word]
 
Upvote 0 Downvote
sorry to leave that out, but yes, I have identified the value...

UID = Request(&quot;UID&quot;)

Thanks,
Rex
 
Upvote 0 Downvote
Hmm, everything looks OK from here, there may be something else which is playing a part.

Before the UID check in the protected page, pop some varible listing code in to manually check those values.

response.write(&quot;Session is: &quot; & session(&quot;authorized&quot;) & &quot; URL parameter is: &quot; & UID)
response.end

This will narrow down the search a lot. Derren
[The only person in the world to like Word]
 
Upvote 0 Downvote
For the security, why don't you just make the UserID in the session scope instead of passing it from page to page? This increases your security because you don't need to worry about someone changing the number in the url bar, plus it is automatically carried over to every page without you having to specify it.

Then, you can also simply check for a true or false value on the session(&quot;authorized&quot;) variable for each page as well which will make for less confusion. -Ovatvvon :-Q
 
Upvote 0 Downvote
Ovatvvon,

I know what you're saying and I think I tried to do that earlier with the same results, but could you give me an example?

Rex
 
Upvote 0 Downvote


--- Signin Page ------------
If password = &quot;asdf&quot; Then 'Case-Sensitive if straight text
session(&quot;authorized&quot;) = True
session(&quot;uid&quot;) = UserID
response.redirect(&quot;main.asp&quot;)
Else
session(&quot;authorized&quot;) = False
session(&quot;uid&quot;) = 0
response.redirect(&quot;entry.asp?Errmsg=&quot; & Server.URLEncode(&quot;Incorrect Password&quot;))
End If


--- Main Page ---------------------------
If session(&quot;authorized&quot;) <> True Then
Response.redirect(&quot;entry.asp?Errmsg=&quot; & Server.URLEncode(&quot;Session Timeout&quot;))
End If


Now the user's ID is not being passed via URL, and therefore cannot be altered.

Hope this makes sense... -Ovatvvon :-Q
 
Upvote 0 Downvote
Ovatvvon... Thanks! That works like a charm!!! Its perfect!!! Thanks again!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

leifoet
  • Locked
  • Question
How to send HTML emails with ASP classic?
Replies
0
Views
504
leifoet
leifoet
JScannell
  • Locked
  • Question
Border issue with Google Chrome on an Android phone
Replies
0
Views
377
JScannell
JScannell
leifoet
  • Locked
  • Question
First execute an input command and only then proceed with displaying the next record of the table
Replies
0
Views
330
leifoet
leifoet
leifoet
  • Locked
  • Question
Problem: sql-Select with request.form
2
Replies
22
Views
491
leifoet
leifoet
penguinspeaks
  • Locked
  • Question
write HTML code within ASP line
Replies
1
Views
517
xwb
xwb

Part and Inventory Search

Sponsor

Back
Top