ASP Sign In authentication problem!

Results 1 to 5 of 5

Thread: ASP Sign In authentication problem!

  1. #1
    Mike Cohen Guest

    Default ASP Sign In authentication problem!

    Hi,<BR><BR>I&#039m having a little problem with a Sign In page that I am creating. The page basically allows the user to supply their username and password and submitted the informatin back to the page for authentication. This is the easy part, but here is where I am getting trapped. After the user is successfully signed in, the user is then redirected to an Account page. From there the user can update their profile and save it to the database. So what&#039s so tricky about that? Well for one, after the user has submitted the page I don&#039t want them to be allowed back into the account page unless they sign in again. So if the user types "" into the URL, they will be redirected to the sign in page. <BR><BR>One way to go about solving that problem is to let the Account page do the authentication. If the login is unsuccessful then the user is redirected back to the Sign In page. But since the login is incorrect then the Sign In page should give some sort of error message to the user. So how could I tell the Sign In page there is an error? Through the query string? No, the user can screw around with it. The other option is to use a Session variable, but that is just a no-no in itself because of memory usage, time-outs and so on.<BR><BR>The Sign In page wont be just used for logging into a user&#039s account, but for submitting online orders, retrieving saved carts, etc.<BR><BR>How do sites like, and others do it? You can login to and do whatever you want. But once you have logout out you have to login to get back to your account. Even if you copy the URL with all the query variables, you still can&#039t get into your Hotmail account until you&#039ve logged in.<BR><BR>Any help would be greatly appreciated.<BR><BR>Thanks!<BR>

  2. #2
    Steve Cimino Guest

    Default RE: ASP Sign In authentication problem!

    Are you sure you want to do it this way? I log in successfully, play around, and then say "Hey! I want to change my password." Then you&#039re going to log me out and force me back in? My annoyance would become paramount with that. (although that&#039s just my opinion). I would see the point that after I left, I should have to resign in with the new password, but why do it when I&#039ve already been authenticated? I gave you the right key to get in your house, but since I changed the key, you&#039re kicking me back out. Plus, let&#039s hope you&#039re using MTS or some sort of error checking; what if you kick me out, but the database had a problem updating? Now I&#039m in limbo.<BR><BR>But, since that wasn&#039t your question...<BR><BR>Use cookies. Or, use the qs. I know you&#039re worried that users play with it, but so what? You can do:<BR><BR>login.asp?e=1<BR><BR>Then on your page,<BR>If CInt(Request.QueryString("e") = 1 Then<BR> Response.Write "There was such and such error, try again."<BR><BR>If they play with it, then they don&#039t get the message. TS for them.

  3. #3
    Mike cohen Guest

    Default RE: ASP Sign In authentication problem!

    The reason I want people to login every time they want to update or submit something is so other people at a particular computer don&#039t go snooping around with the other user&#039s login. <BR><BR>Since this site will be used on the Interet for everyone, then what happens if the computer browsing my site is for public use? Such as at a library, school and so on. If I just kept the user&#039s login information on the browser and the person forgot to logoff or whatever, then the next person that comes along can look at the last user&#039s account info, order history, etc. <BR><BR>This is why I need some sort of security messure to ensure that no unauthorized person looks at information that they shouldn&#039t be looking at. It&#039s like if you go to, and any other e-commerce sites: you have to login every time you want to add, view and update your information.

  4. #4
    Steve Cimino Guest

    Default RE: ASP Sign In authentication problem!

    I see your point. Although once I&#039m authenticated at Amazon, I can do whatever (at least the things I&#039ve done so far, and I&#039ll admit I don&#039t spend too much time playing in there).<BR><BR>If you use a cookie, you can have the cookie expire at the end of the session, ie, when the browser closes or when the session expires. Yes, this may not be as secure, but quite frankly, if the person leaves a library with their information blasted on the screen... you get the point. You&#039re trying to protect 5% of the population, while making the remainder pay for it.<BR><BR>I guess if you want them to log on before they submit their order, you may just want to put a textbox on that page instead of having a page prior to it.<BR><BR>So, I&#039m adding to my cart. La la la. Now, I want to pay, and on that screen is my account with how much I owe. I enter my credit card number, and for security purposes to protect myself, I have to re-enter my password. Then, on submit, if the user&#039s password is incorrect, send&#039em back to the login/shopping cart page.<BR><BR>At this point, however, you&#039ll have to make a decision: Do I assume the user just incorrectly typed the password, and keep all their items in the shopping cart? Or do I assume its a nefarious user, and clear the cart? If it&#039s simply a typo and you clear the shopping cart, it&#039s probably safe to say you can kiss that sale goodbye if there were many items.<BR><BR>Good Luck!

  5. #5
    Mike Cohen Guest

    Default RE: ASP Sign In authentication problem!

    A cookie that expires when the browser is closed seems like a better approach. It&#039s easy enough to change and it&#039s not a session or query variable. Once the information on the temp cookie has been checked, the data can then be removed. I guess I can think of it as a temporary scratch pad to hold variable values on my site.<BR><BR>The only thing that a user wont have to log into to get information is their shopping cart. If, however, the user wants to retrieve a shopping cart from another computer because of different session ID, then yes, they&#039ll have to log in to get it back from the database. But that&#039s neither here nor there.<BR><BR>Thanks!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts