PDA

View Full Version : Trouble With login Rerouting

Crash1hd
02-14-2003, 09:14 PM
I am having trouble with the following useing access database and this code so that when the user logs in it goes through as long as they have confirmed email registration but if they havent then it stops them from entering for some reason it still alows them to enter the site as long as the login name and password are valed like its ignoring the first if then statement

'************************************ MAIN PROGRAM

If Request.Cookies("login") = "OK" Then Response.Redirect("members.asp")

submitnumber = submitnumber + 1

If username <> "" AND pass <> "" Then
Call OpenConnection()
Dim Member1Query
Dim Member2Query
Member1Query = "SELECT * FROM members WHERE confirmed = True"
Member2Query = "SELECT username, pass, confirmed FROM members WHERE username = '" & SQLFormat(Left(username,255)) & "' AND pass = '" & SQLFormat(Left(pass,255)) & "
Set RS1 = Conn.Execute(Member1Query)
Set RS2 = Conn.Execute(Member2Query)
If NOT RS1.EOF Then
If NOT RS2.EOF Then
Response.Cookies("login") = "OK"
Response.Redirect("members.asp")
Else
Call DisplayLoginForm()
End If
Else
Call Response.Redirect("Register.asp")
End If
Call CloseConnection()
Else
Call DisplayLoginForm()
End If

'******************************** END MAIN PROGRAM
whammy
02-15-2003, 12:37 AM
You need to include the "checklogin" script in every page, like:

<!-- #include file="register/checklogin.asp" -->

at the beginning of every asp page that's protected (EXCEPT for register.asp!), after the

<% @Language="VBScript" %>
whammy
02-15-2003, 12:38 AM
<% If Request.Cookies("login") <> "OK" Then Response.Redirect("login.asp") %>

The above is exactly what's in "checklogin.asp", which is what you should be "including" on your protected pages, using:

<!-- #include file="checklogin.asp" -->

That redirects them to the login page if no cookie is set on their machine.

I am an idiot!

LOL :D
Crash1hd
02-15-2003, 07:23 AM
Great info as always but not what I am trying to achieve!

hmm ok here is the senario are subjects name will be joe say joe joins the website fills in everything he needs to fill in and gets the page that tells him check your email for a confirmation now say joe ignores this and goes back to the login page and logs in should joe be allowed access to the secure pages even though he has not confirmed his email account! I dont think he should but with this code he is able to log in as if he has already confirmed which is a type of security hole with the script doh :(

Just trying to figure out a way to correct the hole :)

Adam
whammy
02-15-2003, 11:35 AM
When someone logs in, I set a cookie... therefore you have to check for that cookie first, in order to "protect" the page.

But, you found some bugs in my script! :eek:

I have rewritten it to correct the bugs, and it now does everything you were previously having trouble with with ease... test it out here:

http://www.solidscripts.com/register

And thanks!