Help w/login using Session()

Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Help w/login using Session()

  1. #1
    Join Date
    Dec 1969
    Posts
    105

    Default Help w/login using Session()

    I have a password-protected site that is using a session variable.<BR><BR>I have this code at the top of each password-protected page:<BR><BR>If session("active") &#060;&#062; "True" Then <BR>response.redirect "login.asp" <BR>End If <BR><BR>Where "active" is the user&#039;s password pulled from a database. <BR><BR>The trouble is that once you are in a site, you are able to manually type in another site name and jump around to that protected sites without getting any login prompt, because it sees that session("active") is true<BR><BR>I need "active" to be dynamic yet secure. Is this possible?

  2. #2
    Join Date
    Dec 1969
    Posts
    2,930

    Default have an admin level

    admin 1 can access some pages<BR>admin 2 can access more pages<BR>admin 3 can access most pages<BR>admin 4 can access all pages<BR><BR>of course, set this up to fit your needs, store in an "admin" session variable...<BR><BR>Session("admin")<BR>and test...<BR>if session("admin") = 4 And Session("active") = "True" Then<BR>you may be able to do away with the "active" session variable if you have an admin... <BR><BR>once "active" is set to true, the user will be able to view other pages if that&#039;s the only criteria required to be able to view them. you might be able to say this...<BR>Session("viewPageA") = "true"<BR><BR>that way they can view page A, and no others, but admin would be the way to go on this one, i think...

  3. #3
    Join Date
    Dec 1969
    Posts
    105

    Default What if I have 1000 sites?

    I will be using this for quite a few client sites. Will I need to set a number for each site?<BR><BR>Also I&#039;d really like to hook the session variable up w/ the user&#039;s password from database if possible...

  4. #4
    Join Date
    Dec 1969
    Posts
    2,930

    Default sites?

    do you mean pages? i think of a site as a whole new domain name, is all. <BR><BR>yes you would have to set a number for each "site". if you want a 1:1 ratio of users to "sites" that they can view, you&#039;d want to have some kind of distinct value that determines that they are allowed to view this current "site" and not the other "sites".


  5. #5
    Join Date
    Dec 1969
    Posts
    105

    Default 1000 different pages then?

    Wouldn&#039;t it be just as easy to assign each "page" a unique session name - not pulling anything from the dbase?

  6. #6
    Join Date
    Dec 1969
    Posts
    1,570

    Default that would entail...

    writing a lot of pages that could be wrapped up in a lot less pages by simply using conditional statements to determine who can do what on each page...

  7. #7
    Join Date
    Dec 1969
    Posts
    105

    Default Explain...

    I&#039;m not sure what you mean. I am thinking of this in terms of client review sites. I have a directory set up for Client A and a directory set up for Client B. Client A will never have permission to see any of Client B&#039;s pages and vice versa.<BR><BR>I thought the simplest way to set this up was to dynamically generate the session name by pulling it from a database - in this case the client&#039;s password. By having<BR><BR>Session("active") = rstemp("password") <BR>Session("active") = True<BR><BR>on the login page I wanted the UNIQUE value of the password to be passed to the session. Is that not happening?

  8. #8
    Join Date
    Dec 1969
    Posts
    1,570

    Default RE: Explain...

    that can happen very easily... after a user logs in, query the db to see if this person is in there, if so then put the password in a session variable, and on each page you would base the security on that password session variable and other permissions of course.

  9. #9
    Join Date
    Dec 1969
    Posts
    105

    Default Isn't the code...

    at the top of each page already supposed to be doing that?<BR><BR>If session("active") &#060;&#062; "True" Then <BR>response.redirect "login.asp" <BR>End If <BR>

  10. #10
    Join Date
    Dec 1969
    Posts
    1,570

    Default okay!!

    yes. you should just put that code in a little .asp file and include it on every page then. I didn&#039;t know that all you were trying to do was set up a session and if the session ends, then send the user to the login screen. Yes, that is the way to do it!!!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •