Sessions I think? help

[IndyGill]

Hi all

I am just starting to get into ASP but I not an experinced programer so I was wondering if you could hep me, I am have built a pretty basic login page with UserID, Password and User Level which is linked to an Access DB to lookup the ID and Password. When the correct ID and password are typed you are directed to a loginok.asp page.

The Problem
The problem I have is that it is possible to bookmark the loginok.asp once logged in from the browser therfore bypassing the login in future cases. Also I dont want them to be able to type in the full URL (

http://www.domain.com/loginok.asp)

I have prevented the browser from caching the page but do not know how to get round the bookmark thing. I think I need to use a Session or some sort of way to expire the page however I am unfamilar with this. I created the sessions on the login page but do not know how to call them to expire on the loginok.asp

I have included the code below to

<%@LANGUAGE=&quot;VBSCRIPT&quot;%> <%
Dim myconnection__strUserID
myconnection__strUserID = &quot;x&quot;
if(Request.Form(&quot;UserID&quot <> &quot;&quot then myconnection__strUserID = Request.Form(&quot;UserID&quot
Dim myconnection__strPassword
myconnection__strPassword = &quot;1&quot;
if(Request.Form(&quot;Password&quot <> &quot;&quot then myconnection__strPassword = Request.Form(&quot;Password&quot
%>
<%
set myconnection = Server.CreateObject(&quot;ADODB.Recordset&quot
myconnection.ActiveConnection =&quot;dsn=password;&quot;
myconnection.Source = &quot;SELECT * FROM Table1 WHERE UserID = '&quot; + Replace(myconnection__strUserID, &quot;'&quot;, &quot;''&quot + &quot;' AND Password = '&quot; + Replace(myconnection__strPassword, &quot;'&quot;, &quot;''&quot + &quot;'&quot;
myconnection.Open
%>
<%
If myconnection__strUserID <> &quot;x&quot; Then
If Not myconnection.EOF Then
Session(&quot;svUser&quot=myconnection.Fields.Item(&quot;UserID&quot.Value
Session(&quot;svPass&quot=myconnection.Fields.Item(&quot;Password&quot.Value
Session(&quot;svAccess&quot=myconnection.Fields.Item(&quot;userLevel&quot.Value
Response.Redirect &quot;loginok.asp&quot;
else
Response.Redirect &quot;loginfailed.asp&quot;
End If
End If
%>

I appolgise as I am using Ultradev, many thanks in advance

Indy

 

[JohnYingling]

Generate two random numbers between 0 and 99999999, concatenate them as a string in a session variable and put the string in a hidden field on the form or in the URL.
Session(&quot;svToken&quot= Cstr(lngRandom1) & Cstr(lngRandom2)
In the login ASP, verify that
Session(&quot;swToken&quot = (Request.Form(&quot;Token&quot.

http://WWW.VBCompare.Com

 

[link9]

I won't modify the code above, but rather give you the session solution you have asked for:

To set a session variable, just do this:

session(&quot;varName&quot = value

And to retrieve it, just do this:

varName = session(&quot;varName&quot

So, with that, let's draw a little scenario where if a user's userID and password is found in the database, then we set a session variable called loginOK to 1 -- if that variable exists upon the load of any page, then the page can continue to execute -- if that variable does not hold the desired value, then we kick them out -- Here, we assume that the user just entered their information into a form and has arrived at this page. Consider this:

<%
dim loginOK, con, rs, uid, pwd

uid = request.form(&quot;UID&quot
pwd = request.form(&quot;PWD&quot

set con = server.createObject(&quot;ADODB.Connection&quot
set rs = server.createObject(&quot;ADODB.Recordset&quot

con.open (&quot;DSN=myDSN;UID=;PWD=&quot

'here, we select the user --
rs.open &quot;SELECT * FROM users WHERE UID='&quot; & uid & &quot;' AND PWD='&quot; & pwd & &quot;', con

'here, we check for an empty recordset
'if it's not empty, then we assume they are valid
'if it is empty, then they are not valid
if (rs.eof and rs.bof) then
loginOK = false 'rs is empty
else
loginOK = true 'rs isn't empty
end if

if loginOK then
'setting session variable if login successful
session(&quot;loginOK&quot = 1
else
'redirecting user if login failed
response.redirect(&quot;loginError.htm&quot
end if

'Here, you can do whatever you want to do
' It is safe to assume that any non-valid
' users have been redirected away from the page
%>

Ok, so we have accomplished that -- now for checking on every page to make sure they are still logged in -- add this little bit of code to the top of the page -- maybe even in an include file (good idea)

<%
if session(&quot;loginOK&quot <> 1 then
response.redirect(&quot;loginError.htm&quot
else
session(&quot;loginOK&quot = 1
end if
%>

Notice that I set the value again -- that is because the session variable will expire after 20 minutes (default). I have never gotten a straight answer on whether or not simply accessing the variable &quot;reset&quot;s the timer, but I know that setting the value again definitely will -- so that's what I do

It would be a good idea to add this line to the top of every page that you are checking for logins in the case that you may have to redirect --

response.buffer = true

That will keep you from throwing your users an error if there have already been html headers written to the screen IF they are redirected. If they aren't redirected, then no harm, no foul...

I apologize for any syntax errors that may be here -- this code isn't tested, as I just wrote it, but the concept is expressed, and that should get you there.

hope it helps!
Paul Prewett