Web Site security 2

[jimbob550]

Hi,
I've been making sites for a little while...still learning though. Just saw tek-tips and thought I'd try it out...

Does anyone know how I can secure my web site so only people I want to enter it can enter it? I mean, I know I can make a log in and password, then request it from the next page and verify that it is correct via database....but that doesn't stop them from just typing in the next page or any other page in the member area and going directly to it.

How could I keep someone from going directly to a page? How can I make them have to log in?

Jim

 

[Ovatvvon]

Use a session state to verify if the person has authorization. When they log in, on the page receiving the userID and password....if it's found to be true, then set a session flag to true. then at the top of every page in the member area, include a file that you make checking to see if the flag is set to true. If it's not, then redirect them back to the login page, or to another page of your choosing.

Example:
---page1.asp-----------------------------------------

<form action='page2.asp' method='post'>
USER ID:<input type='text' name='userID'>
PASSWORD:<input type='password' name='userPW'>
<input type='submit' value='Submit'><input type='reset' value='Reset'>
</form>


---page2.asp-----verifying page----------------------

<%
Dim userID, userPW, sql
userID = Request.Form(&quot;userID&quot
userPW = Request.Form(&quot;userPW&quot
sql = &quot;SELECT * FROM userTable WHERE ((userTable.userID)='&quot; & userID & &quot;') And ((userTable.userPW)='&quot; & userPW & &quot;');&quot;
'Set connection string here
Set rs = Server.CreateObject(&quot;ADODB.Recordset&quot
rs.Open sql, connection, 3, 3

If not rs.EOF then
session(&quot;userID&quot = rs(&quot;userID&quot
session(&quot;Flag&quot = true
response.redirect(&quot;members.asp&quot
Else
session(&quot;Flag&quot = false
response.redirect(&quot;badPerson_bad.asp&quot
End If
rs.Close
Set rs = nothing
connection.Close
Set connection = nothing
%>

<% ' Your badPerson_bad.asp is any &quot;No Access&quot; page
' that you want...or your login page...doesn't
' matter
%>

---members.asp------------------------------

<!-- #include file='checkIt.asp' -->
<%
Response.write(&quot;Welcome &quot; & session(&quot;userID&quot & &quot;!<BR>&quot
Response.write(&quot;This is the member area, for members only!&quot
%>



---checkIt.asp------the include page---------

<%
If session(&quot;Flag&quot <> true Then
response.redirect(&quot;page1.asp&quot
End If
%>



==================================================
==================================================

Hope this helps.
-Ovatvvon :-Q

 

[jimbob550]

Wow, that's cool.
Never woulda thought of that!
Thanks Ova!!

Jim

 

[jasonsalas]

Ovatvvon:

Great job on the authentication script, but I just noticed something. On &quot;page2.asp&quot; I had to add the following line:

=================================
<% Response.Buffer = True %>
=================================

...because PWS was generating an error message indicating that the headers had already been written to the client...and the page couldn't be displayed.

I'm not sure at this time if this will be replicated on IIS (I'll test it and see). But, your login procedure works fine after adding the buffering statement.

Thanks!

 

[Ovatvvon]

It's probably where I wrote the comments.
Try taking them out.

Also, IIS also's the managment to set the buffer to true or false, along with the coding control. I leave mine set to true on all my sites just because I run into stuff like that all the time. If for some reason I need it turned off, then I'll code it to false on the page.

So, sorry I didn't think about that, as mine is always set to true...but glad I could help.
-Ovatvvon :-Q