ASP and Security question

Results 1 to 2 of 2

Thread: ASP and Security question

  1. #1
    Join Date
    Dec 1969

    Default ASP and Security question

    &nbsp;<BR>Okay..say I have this code to log someone in using their email address and password varified againts the database:<BR><BR>Dim oCONv, oRSu<BR> Set oCONv = Server.CreateObject("ADODB.Connection")<BR> oCONv.Open "DSN", "UserID", "Password"<BR><BR><BR> Set oRSu = oCONv.Execute("SELECT UserID, EmailAddress, Password FROM tblUserInfo WHERE EmailAddress = &#039" & Request.Form("EmailAddress") & "&#039 AND Password = &#039" & Request.Form("Password") & "&#039")<BR><BR> if not oRSu.EOF then<BR> <BR> Session("UserID") = oRSu ("UserID")<BR> Response.Redirect "YouAreLoggedIn.asp" <BR> else<BR> Response.Redirect "InvalidLogin.asp"<BR> end if<BR><BR>Now, on subsequent "protected pages" I have this to keep unwanted users out and pull up information about the logged in user based on their UserID:<BR><BR><BR>if Session("UserID") = "" then<BR> Response.Redirect "YouAreNotLoggedIn.asp"<BR>else<BR>end if<BR><BR><BR>Basically, this protects the page from anyone who does not have an active session called User ID, correct? My question is this:<BR><BR>What if someone comes form another site that has already set a session variable called UserID and it matches a UserID in my database? Will they have access to that users information? If so, is there a way to get around this? I have heard about HTTP_REFER, but not real sure how to implement it. Thanks!

  2. #2 Guest

    Default RE: ASP and Security question

    Session variable are site specific. They actually use a type of cookie. The cookie stays in the memory of both client and server, and when your visitor connects to your site the session variables are set. When your visitor visits another site a separate session will be astablished. So there is no way that they should get mixed up.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts