Did I implement the login correctly?

[Randy Morgan]

I used, or tried to use, suggestions from this NG to implement a login
for a protected area of my site. I'd appreciate it if any of you
adventurous types want to try and "break in" before I put anything
really important there.

The login page is at:

http://www.leonardforiowa.com/login.asp

If you can get to any URL in the 'secure_area' directory, I've messed it up.

And, as long as I'm typing, I've got a few questions:

Is there a command I can use on the login page code to keep entries from
being cached? In particular, I don't want anything to still be in the
password field when the page is loaded or refreshed.

When a user types in a password, the actual characters show up. How can
I have them masked with **** or dots or whatever you see on most other
websites.

And, last, as I've been messing with database results and things FP
frequently tells me to rename files to use the .asp extension, which is
no problem, but got me thinking: Is there any reason not to use the
..asp extension for all my pages (assuming they're not php pages or
something, of course) instead of .htm? Will it hurt anything?

Thanks,

 

[Randy Morgan]

One more question:

I'd like to have more than one username and password combination that
will work on the login page. I've tried to modify verify.asp to check
more than one combination, but when I upload it the function breaks,
resulting in the browser simply displaying the contents of verify.asp
instead of returning a value.

I'm not sure if the entire structure is wrong or if I should be using
braces instead of parentheses or it's something else entirely. The uid
and pwd are passed from the login.asp form.

Here's the code I'm using:

<%
If
(
(Request.Form("uid") = "uid1" AND Request.Form("pwd") = "pwd1")
OR
(Request.Form("uid") = "uid2" AND Request.Form("pwd") = "pwd2")
)
Then
Session("Authenticated") = 1
Response.Redirect "http://www.leonardforiowa.com/secure_area/home.asp"
Else
Session("Authenticated") = 0
Response.Redirect "http://www.leonardforiowa.com/loginfail.asp"
End If
%>
Randy Morgan

 

[Stefan B Rusynko]

If you are seeing ASP code in the verify.asp page it is because you are using it from a non .asp page or your verify.asp has html in
it (its should only have VB script in it)

Watch out that your entire If Then is on 1 line if you are using multiple line for the code
- your mulitline script does not show any script line breaks _ as in

If _
( _
(Request.Form("uid") = "uid1" AND Request.Form("pwd") = "pwd1") _
OR _
(Request.Form("uid") = "uid2" AND Request.Form("pwd") = "pwd2") _
) _
Then
...
Else
...
End If


--




| One more question:
|
| I'd like to have more than one username and password combination that
| will work on the login page. I've tried to modify verify.asp to check
| more than one combination, but when I upload it the function breaks,
| resulting in the browser simply displaying the contents of verify.asp
| instead of returning a value.
|
| I'm not sure if the entire structure is wrong or if I should be using
| braces instead of parentheses or it's something else entirely. The uid
| and pwd are passed from the login.asp form.
|
| Here's the code I'm using:
|
| <%
| If
| (
| (Request.Form("uid") = "uid1" AND Request.Form("pwd") = "pwd1")
| OR
| (Request.Form("uid") = "uid2" AND Request.Form("pwd") = "pwd2")
| )
| Then
| Session("Authenticated") = 1
| Response.Redirect "http://www.leonardforiowa.com/secure_area/home.asp"
| Else
| Session("Authenticated") = 0
| Response.Redirect "http://www.leonardforiowa.com/loginfail.asp"
| End If
| %>
| Randy Morgan
|
| Randy Morgan wrote:
| > I used, or tried to use, suggestions from this NG to implement a login
| > for a protected area of my site. I'd appreciate it if any of you
| > adventurous types want to try and "break in" before I put anything
| > really important there.
| >
| > The login page is at:
| >
| > http://www.leonardforiowa.com/login.asp
| >
| > If you can get to any URL in the 'secure_area' directory, I've messed it
| > up.
| >
| > And, as long as I'm typing, I've got a few questions:
| >
| > Is there a command I can use on the login page code to keep entries from
| > being cached? In particular, I don't want anything to still be in the
| > password field when the page is loaded or refreshed.
| >
| > When a user types in a password, the actual characters show up. How can
| > I have them masked with **** or dots or whatever you see on most other
| > websites.
| >
| > And, last, as I've been messing with database results and things FP
| > frequently tells me to rename files to use the .asp extension, which is
| > no problem, but got me thinking: Is there any reason not to use the
| > .asp extension for all my pages (assuming they're not php pages or
| > something, of course) instead of .htm? Will it hurt anything?
| >
| > Thanks,
| >

 

[Randy Morgan]

Thanks so much for the feedback. I don't know anything about VB syntax,
so I was completely unaware of the need for the _ character.

thanks,
Randy Morgan

 

[Stefan B Rusynko]

See inline comments below

--




|I used, or tried to use, suggestions from this NG to implement a login
| for a protected area of my site. I'd appreciate it if any of you
| adventurous types want to try and "break in" before I put anything
| really important there.

With any "login" server side scripting you need to be aware of preventing possible SQL injection attacks / hacks and that means you
must script defensively - for more info see
http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf

- your simple login script does not prevent possible attacks
- how defensive you script depends on how sensitive the pages or data (say from a DB) you are "protecting"

|
| The login page is at:
|
| http://www.leonardforiowa.com/login.asp
|
| If you can get to any URL in the 'secure_area' directory, I've messed it up.

There are tools available that will test your site for vulnerablities

|
| And, as long as I'm typing, I've got a few questions:
|
| Is there a command I can use on the login page code to keep entries from
| being cached? In particular, I don't want anything to still be in the
| password field when the page is loaded or refreshed.

If you don't set a default form field value the form field will be empty when called on an ASP page or contain prior inputs when
called from the browser back button
If you set both fields as password fields they will be blank even using the browser back button

|
| When a user types in a password, the actual characters show up. How can
| I have them masked with **** or dots or whatever you see on most other
| websites.

In the form field properties set the option for it to be a password field


| And, last, as I've been messing with database results and things FP
| frequently tells me to rename files to use the .asp extension, which is
| no problem, but got me thinking: Is there any reason not to use the
| .asp extension for all my pages (assuming they're not php pages or
| something, of course) instead of .htm? Will it hurt anything?

If you are using ASP to protect your pages you must use .ASP pages
(so the "protected" page is processed server side before client side)
- the FP DBRW requires .asp pages
When you start an ASP session it remains active if you are w/i .asp pages and the ASP session timeout has not expired
Since you are using session variables you should be using .asp for all the pages after a session starts (your login page) to keep
the current session running
See http://www.devguru.com/Technologies/asp/quickref/session.html


| Thanks,
|
| --
| Randy Morgan

 

[Stefan B Rusynko]

PS
or you are testing it from a disc based web (instead of a server based web that supports ASP)

--




| If you are seeing ASP code in the verify.asp page it is because you are using it from a non .asp page or your verify.asp has html
in
| it (its should only have VB script in it)
|
| Watch out that your entire If Then is on 1 line if you are using multiple line for the code
| - your mulitline script does not show any script line breaks _ as in
|
| If _
| ( _
| (Request.Form("uid") = "uid1" AND Request.Form("pwd") = "pwd1") _
| OR _
| (Request.Form("uid") = "uid2" AND Request.Form("pwd") = "pwd2") _
| ) _
| Then
| ...
| Else
| ...
| End If
|
|
| --
|
| _____________________________________________
| SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| "Warning - Using the F1 Key will not break anything!" (-;
| To find the best Newsgroup for FrontPage support see:
| http://www.net-sites.com/sitebuilder/newsgroups.asp
| _____________________________________________
|
|
|| One more question:
||
|| I'd like to have more than one username and password combination that
|| will work on the login page. I've tried to modify verify.asp to check
|| more than one combination, but when I upload it the function breaks,
|| resulting in the browser simply displaying the contents of verify.asp
|| instead of returning a value.
||
|| I'm not sure if the entire structure is wrong or if I should be using
|| braces instead of parentheses or it's something else entirely. The uid
|| and pwd are passed from the login.asp form.
||
|| Here's the code I'm using:
||
|| <%
|| If
|| (
|| (Request.Form("uid") = "uid1" AND Request.Form("pwd") = "pwd1")
|| OR
|| (Request.Form("uid") = "uid2" AND Request.Form("pwd") = "pwd2")
|| )
|| Then
|| Session("Authenticated") = 1
|| Response.Redirect "http://www.leonardforiowa.com/secure_area/home.asp"
|| Else
|| Session("Authenticated") = 0
|| Response.Redirect "http://www.leonardforiowa.com/loginfail.asp"
|| End If
|| %>
|| Randy Morgan
||
|| Randy Morgan wrote:
|| > I used, or tried to use, suggestions from this NG to implement a login
|| > for a protected area of my site. I'd appreciate it if any of you
|| > adventurous types want to try and "break in" before I put anything
|| > really important there.
|| >
|| > The login page is at:
|| >
|| > http://www.leonardforiowa.com/login.asp
|| >
|| > If you can get to any URL in the 'secure_area' directory, I've messed it
|| > up.
|| >
|| > And, as long as I'm typing, I've got a few questions:
|| >
|| > Is there a command I can use on the login page code to keep entries from
|| > being cached? In particular, I don't want anything to still be in the
|| > password field when the page is loaded or refreshed.
|| >
|| > When a user types in a password, the actual characters show up. How can
|| > I have them masked with **** or dots or whatever you see on most other
|| > websites.
|| >
|| > And, last, as I've been messing with database results and things FP
|| > frequently tells me to rename files to use the .asp extension, which is
|| > no problem, but got me thinking: Is there any reason not to use the
|| > .asp extension for all my pages (assuming they're not php pages or
|| > something, of course) instead of .htm? Will it hurt anything?
|| >
|| > Thanks,
|| >
|
|

 

[Randy Morgan]

No, I published it to my host, which supports ASP, and that's where it
broke. It's probably the line breaks I inserted when I modified the code.

Randy Morgan