login script question

Results 1 to 3 of 3

Thread: login script question

  1. #1
    Join Date
    Dec 1969

    Default login script question

    I have a login script that redirects users based on their username & password. The problem is that once logged in - users are able to jump around to different password-protected directories. For example:<BR><BR>users logged into sites/siteA can manually type in sites/siteB and see another (in this case) client&#039;s information. How do I prevent this from happening? <BR><BR>I have this snippet of code at the top of all protected pages:<BR><BR><BR>&#060;% If session("log_in") &#060;&#062; "True" <BR>Then <BR>response.redirect "../login.asp" <BR>End If %&#062;<BR><BR><BR>Here&#039;s login.asp:<BR><BR>&#060;%<BR>Dim Conn_CONNECTIONSTRING<BR>Dim Conn<BR>Dim objRecordset1<BR>Dim rstemp<BR> <BR>Set Conn = Server.CreateObject("ADODB.Connection")<BR>Set rstemp = Server.CreateObject("ADODB.RecordSet")<BR>Conn.CON NECTIONSTRING = "DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=" & Server.Mappath("......staging_dblogin.mdb") & ";" <BR>Conn.Open <BR> <BR><BR>If request.form("login") = "yes" then<BR> <BR>sqltemp="select * from Users where username=&#039;"<BR>sqltemp=sqltemp & request.form("username") & "&#039;"<BR>sqltemp=sqltemp & "AND password=&#039;" <BR>sqltemp=sqltemp & request.form("password") & "&#039;"<BR>set rstemp=Conn.execute(SQLTemp)<BR> <BR> If NOT rstemp.eof then<BR> <BR> dim urlpath<BR> urlpath = rstemp("url")<BR> <BR> session("log_in") = "True" <BR> <BR> response.redirect urlpath<BR> Else<BR> response.redirect "invalid.html" <BR> End If <BR> <BR><BR> <BR>end if<BR> <BR>%&#062;

  2. #2
    Join Date
    Dec 1969

    Default RE: login script question

    You&#039;ll need to set up some kind of structure for the login permissions.<BR><BR>For example instead of just setting login = True set a session variable = site a or site b or whatever and then check for that value for each site.

  3. #3
    Join Date
    Dec 1969

    Default Piece of cake.

    I use this all the time...<BR><BR>In your log in page, set a session variable equal to the area that the user hass access to, then in your header and footer files, have an if-then statement, and set your page permissions at the top of the requesting page...<BR><BR>For example...<BR><BR>PAge1.asp<BR>-------------------------------------------<BR>&#060;%<BR>accesslevel="1,3,4"<BR>%&#062;<BR>& #060;!--#include file="includes/header.asp"--&#062;<BR>&#060;%<BR>&#039;Put your page content in here!!!<BR>%&#062;<BR>&#060;!--#include file="includes/footer.asp"--&#062;<BR><BR><BR>includes/header.asp<BR>-------------------------------------<BR>&#060;%<BR>valid = false<BR>access = split(accesslevel,",")<BR>for each item in access<BR> if access = session("accesslevel") then<BR> valid = true<BR> exit for<BR> end if<BR>next<BR>if not valid then<BR> &#039;User does not have access to page<BR>else<BR>&#039;Leave this open ended, so your page content shows up<BR>%&#062;<BR><BR><BR><BR>includes/footer.asp<BR>-----------------------------------<BR>end if &#039;This is the end of your access if..then..else clause.<BR><BR><BR>Hope this helps!<BR><BR>-- Whol

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts