ASP Security Login Using Cookies ...
My login_process.asp ...
<%
Dim L_ID, L_Pass, conn, rs
L_ID = Request.Form("member_id")
L_Pass = Request.Form("member_pass")
set conn=Server.CreateObject("ADODB.Connection")
conn.Provider="Microsoft.Jet.OLEDB.4.0"
conn.Open(Server.Mappath("Registration.mdb"))
set rs=Server.CreateObject("ADODB.Recordset")
rs.open "SELECT * from registration WHERE mem_id='"& L_ID & "' AND mem_pass='" & L_Pass & "'", conn
if rs.EOF then
Response.Cookies("LoginError")= "Wrong Member ID or Password"
Response.Redirect("Login_Fail.asp")
else
Response.Cookies("login") = Request.Form("L_ID")
Response.Redirect("Login_Success.asp")
end if
conn.Close
%>
I place this at the top of every page so that only those logged in can view the page ...
<%
if Request.Cookies("mem_id") <> "TRUE" then
Response.Redirect ("Default.asp")
end if
%>
CONCLUSION : IT'S NOT WORKING ...
View Replies
ADVERTISEMENT
I've added a punlic domain security login page to one of my web
applications. I did this because the number of users has increased to a
couple of dozen, and having them all added as users on my machine was
becoming cumbersome. I find this method a lot easier to manage the users.
Previously I used windows authentication.
Is this the method most people use ?
View Replies
View Related
I have a system which users enter with a username & password.Now my question is:
After logging on to the system,for example user opens an asp page named:
http://vkomdeneme/vestel/show.asp
But he/she can also open this page before logging on just copying and pasting the link above.This should'nt be like this.Now how can I achieve this problem?
View Replies
View Related
I`m building a site that needs login and then check that the user is logged in to visit several pages. The login-stuff is ok and I can do the check on the pages I want, but the problems is that after a user has logged out, he/she can still use the browsers "back-button" and display the contents on the previuos pages, but when reloading the pages my "not logged in" messages appears. Is there anything I can do to prevent the "backbutton" possibility? My logout-page has only a "session.abandon" function for the logout-procedure.
View Replies
View Related
I have created a website that uses cookies to check to make sure that someone is logged in on secure pages, but some people have e-mailed me saying that they cannot get in. It is because they do not have cookies enabled. A NEED TO FIND A WAY TO CHECK THE LOGIN ON SECURED PAGES WITHOUT USING COOKIES. It would be nice to also be able to know who is online and where they have been - maybe an activity log.
View Replies
View Related
Does anyone know how to create a login system with ASP that does not use cookies? I am finding that more and more users seem to be setting their privacy settings to high, thus not accepting cookies.
What I am thinking about is to have some type of server side session that when a user logs in, I write the session ID to a database as well as the user ID so that I can keep track of the users that are loged in.
I have played with regular sessions, but if a user does not have cookies enabled, the session do not seem to maintain state and are basically useless.
View Replies
View Related
Please need your help in writing the cookies code to enter the user automaticly to the comments page with out login if he entered before to the site...
these are the code i wrote but now i need the cookies code to vlaideat if the user enterd before or not (if yes, redirect him to the comments page otherwoise let him login in)
View Replies
View Related
In my Session_OnStart in Global.asa, I am setting some cookies. One
of them, I set as follows:
dim UserID
UserID = Request.ServerVariables("LOGON_USER")
Response.Cookies("User")("ID") = UCASE(UserID)
When I immediately log the cookie value retrieved from
Request.Cookies("User")("ID") into the Windows Event Log, I get the
correct value. However, when I try to retrieve the cookie on the home
page of my application using the same code,
Request.Cookies("User")("ID"), it either cannot find the cookie or
cannot read the value. I am retrieving the cookie before all HTML
headers are written. It is my first statement on the page after
Option Explicit. I have even compared the session IDs. The SessionID
created in the Session_OnStart is the same value as the SessionID on
the home page.
I have read that the Session_OnStart only has access to the
Application, Session and Request objects. It does not explicitly say
that it does not have access to the Response object. Also, I was even
able to use Response.Write's in Global.asa to print out the values
although it looked like it had also stopped the session after I did
so. Cookies are definitely enabled on my machine. I have even tried
setting the session cookie's expiration to be persistent for a few
days to see if it was perhaps expiring before I was able to read it
but this did not work either.
Is there something preventing cookies to be created in Global.asa in
the Session_OnStart sub? Is the Response object not available???
Please let me know if anyone else has had this problem or solution.
View Replies
View Related
Is it possible for a user to enable permanent cookies but disable session cookies.....this seems like a contradition yet this is what I appear to be
reading in online articles?
View Replies
View Related
I m creating a cookies in my application and it work properly but i can't see the cookies where it will sotred i checked the cookies folder but i didn't find that I want to create a cookies file as the other web site create and store where other cookies will stored in Cookies folder or Temprory Internet files folder eg:1. arvind@google.co[1].txt this stored in cookies folder 2. arvind@msn[2].txt ....
View Replies
View Related
I am building a website to pull data from a remote https site using xmlhttp. The data from the https site is behind a login screen. I can successfully get through the login screen with:
set objXMLHTTP = Server.CreateObject("Msxml2.ServerXMLHTTP")
objXMLHTTP.Open "POST", "https://website.com/validate-login2.asp", false
objXMLHTTP.SetRequestHeader "Content-Type", "application/x-www-form-urlencoded"
objXMLHTTP.Send "Username=uname&password=pwd&company=O"
That works great - but then, when I try to go to the next page (where the data is that I want to pull) - I use the same process and I get kicked back out to the login screen? Could there be some cookies, referer, strings being passed normally that I am not including in my second request - How do i find out for sure?
I have used the software IETrace and it looks like some cookies being passed, but how do I know for sure if (and what exactly) it is using?
View Replies
View Related
I want to login to a page using MSXML2.ServerXMLHTTP.4.0 or an object like this, I must send the form variables needed to login when I try to login to the page. But the problem is, that the page looks like a exe file (not a asp file or php file or what ever). The name of the page I try to login is something like "/pw?/session/login", nothing more, without extension. I have tried the code with a normal asp file with session registration and login process and it worked, but not with this file.
View Replies
View Related
I now have a login page for user authentication.
But I am kind of paranoid about security.
Is it enough just to have that to secure my site?
How do hackers do "sniffing"?
And how to prevent that?
If there is any GOOD website security tutorial, I would love to read it.
View Replies
View Related
IIS can handle security on its own without the need for complex scripting and i like the idea of being able to just let the system do it however im not sure how to set such things up and would that mean that if you used something like integrated windows authentication that security is delt with by windows and its users info rather than getting the info from a database of my choosing ?
the whole concept is quite confusing to me but there must be a simple ish way to set up at least some form of secure site area within my web.
View Replies
View Related
I am starting to learn asp and I have IIS installed on my WIN xp pro machine. Do I have to worry about security for any reason at all. I don't believe I have file sharing on at all, then again, I don't know if that has anything to do with this.
View Replies
View Related
How do I run security through all of the pages? The users log in, an asp checks their password, then what do I do to secure the pages from users that do not enter the password?
View Replies
View Related
Developed a web application which adopts a custom security model which displays a login page and requests a username/password combination. The username works in a mixed-mode of usernames matched with the windows login name and some extra accounts (similar to SQL mixed-mode security). Web application is executed both in the corporate intranet and externally on the web.
Getting user complaints about having to login to the web application when they have already logged-on to windows. I have coded a challenge/response (response.status=401) to get a user's window login through the ServerVariables. This seems to work OK for the intranet access. If the user's windows account is not located in the application database then I redirect to the standard login page for the username/password combination. When the application is executed across the internet through a firewall, the user is prompted by IE to enter the windows domain, username, and password. There seems to be no mechanism to avoid this because of the challenge/response code. I wish that with external access from the internet that users are automatically directed to the application login screen and not faced with the IE windows authentication dialog.
View Replies
View Related
Does anyone know how to implement one way hashing or encryption using ASP 3.0 and no additional components.
I need to secure a intranet application which is being moved online, currently the passwords are stored in plain text, ideally id like to hash the passwords in the database and hash the form data when testing, but I don't seem to be able to find any hashing methods for standard ASP, perhaps someone has a nice code snippet for hashing.
View Replies
View Related
is there a way to login to a particular security group from asp?I use IP addresses and email addresses to identify web users and most have general IWAM_COMPUTERNAME access.
Once web users login is there a way to give SOME of them access to a NT security group based on stored NT user/password information?
View Replies
View Related
I am working on a new feature on my website where people can write their own HTML files. They are actaully going to have .ASP extensions, and are hosted on my webserver. So, what security issues can you suggest? So far all I have got is disabling '<% %>' tags. Anything else?
View Replies
View Related
I'm developing a local intranet site. i'm just new in ASP, could anyone help me how to put security?i have username and password but i want the site not to go back on the previous pages after logging off.
I'm using macromedia dreamweaver and VBscript, i have a database using MS Access.
View Replies
View Related
i am developing a project thats gonna handle some transactions too.Since this is my first commercial project so i am worried about its security. so my question is "is asp safe enough to use with something serious ?" or i should use something else like PHP .
View Replies
View Related
I'm about to embark on a project that will allow my clients to produce invoices via any internet enabled PC. This post is regarding the security options available to me.
I will implement a Username/Password scheme to restrict access to the facility, but since part of the facility will allow access to customer information I wondering if I should also look at a more secure protocol than simple HTTP.
I have very little knowledge regarding the options available to me and as such I'm hoping someone can give me some suggestions of an overview of the different things I could use.
View Replies
View Related
One more conceptual thing! Tell me if i am right! I have developed a concept that SSL does three jobs!
1) It forces the client to connect ot the server through SSL port rather than 80
2) It sends data from client to server encrypted!
3) It provides a certificate from the third party (SSL provider) that we are the rightful owners of this website!
View Replies
View Related
I've been apointed the task of looking through some code for security risks. Up until now it's been PHP, but now a person want's me to look through ASP and ASP.Net files.
The problem is that I don't really know what to look for. Can someone tell me. As many things as possible. in as much detail as possible. even things that normally aren't very risky.
View Replies
View Related
I'd like to start using global.asa to store things like connection strings to
databases and the like. As I understand it, you have to save the file in the
root of your app.
My concern is that storing the location of databases within the ASA file
might be a security issue. Is there any way for a user to get at the
information contained in that file and, by extension, get at the databases
themselves?
View Replies
View Related
I'm not really asking about "someone stole my credit card info through cookies".
Here's the deal:
I have 2 sites (different domain names) running from one server. One is SSL the other is not. The SSL site has a login and password, which return the user's unique id, which is stuck into a session cookie.
This cookie is then checked at every page because every page is built based on the user's id. If it is not present, the user is redirected to the login page.
If the id is wrong, there will be no information shown on the page.
My question is this, can the other (non-SSL) web site see this cookie? The site has no asp or anything else, but if someone "broke into" the non-secure site, could they read the cookie from the other site?
View Replies
View Related
If I store login information in a cookie is it possible for the PC owner to modify the cookie without it making it valid?
For example if in the cookie I store the current user, say "Bob" - if Bob edits his cookie by hand to say "Alan" will the server accept the cookie as valid? Or will it realise that it has been tampered with and discard it?
Anyone recommend a good reference on this sort of thing?
View Replies
View Related
my system is at testing phase. how do i test my system to check its security especially at the login page? i am running it at localhost. i have tried sql injection but nothing happened. i just saw the invalid login username or password error only.
View Replies
View Related
you know when you have a browser based application (written in ASP or whatever), which uses a database, how can you ensure that the username and password of the database is secured?
My ASP application has got a file containing all the information you need to connect to the SQL database, if anyone happens to get hold of that file on the Web server then he'll be able to do anything he wants.is there a safer way to handle this?
View Replies
View Related
Can anyone direct me to a resource/tutorial for something similar to: Toughen Forms' Security with an Image article on this site--but for ASP Classic
View Replies
View Related
I just finished my database. There is one problem however, I had to give write permissions to my file with the extension mdb its an access file. The thing is that now all anyone has to do is figure out the page name and their browser will begin to download my database.
That is a major security hazard, what the heck do I do. Am I supposed to just hope no one ever figures out what that specific page name is ?
View Replies
View Related
I'm trying to get the NT login id of a user on a web page without making the
user type it into a login box. I'm using the LOGON_USER server variable.
The problem is, if the web page allows anonymous access, LOGON_USER returns
nothing. If the page is set to Basic Security, the NT login popup box comes
up, even though the user is already logged into the network, and HAS access
to this page.
Moreover, if I try this on my PC instead of our webserver, it
works like I would expect. That is, when set to Basic Security, it does NOT
pop up a login box if the user is allowed to view the page, and LOGON_USER
returns the userid. Is there some setting on the server I need to change?
Or something else?
View Replies
View Related
