using session variables for security to view information.

[sgore]

I have created a registration site that will assign users a security code. When the user logs onto the site this security code is stored in a session variable. This code is then used to when accessing different pages. The user will only be able to see information for that particular security code. For example (basic user, admin user, ect).

************

Here is how I get my information from the DB:
securityLVL = number (Access DB)

'*** Set up database connection
set Conn=server.createobject("adodb.connection&quot
sConnection="PROVIDER=Microsoft.Jet.OLEDB.4.0;DATA SOURCE="
sConnection=sConnection & server.mappath("tmp.mdb&quot& ";"

Conn.Open sConnection

sSQL = "SELECT * FROM pass WHERE uname = '" & myname & "'"
Set oRS = Conn.Execute(sSQL)

*****************
Here is where I set my security level:

SESSION("securityLVL&quot = oRS("securityLVL&quot

*****************

This is what I place at the top of my .asp files


IF SESSION(&quot;securityLVL&quot <> 1 OR SESSION(&quot;securityLVL&quot = &quot;&quot; THEN
Response.Write &quot;You are not authorized to access to this page!!&quot;
ELSE
user has access

This portion works fine if the users secLVL is 1, however if I add an additional OR:

IF SESSION(&quot;securityLVL&quot <> 1 OR SESSION(&quot;securityLVL&quot<> 3 OR SESSION(&quot;securityLVL&quot = &quot;&quot; THEN

and the user has secLVL of 3 the statement fails and the user gets the not authorized message.

any ideas on a better way to check this value??

 

[jsager]

Change it to this

IF (SESSION(&quot;securityLVL&quot <> 1 AND SESSION(&quot;securityLVL&quot<> 3) OR SESSION(&quot;securityLVL&quot = &quot;&quot; THEN

That should work

 

[Dynapen]

Also try writing it to a local variable, and then doing your check. No sense in grabbing the session varialbe 3 times to check it, when you can jsut grab it once.

 

[sgore]

Thanks for the help... It is working now...