I currently working on a project... I would like to know how I could secure all the pages that are after the login page?

Can show example/s and where can i place the code?

Thanks...
Hope to see reply soon...

This is really an excellent thread about that :D
http://www.codingforums.com/showthread.php?s=&threadid=7161&highlight=profile+profiles
with code and everything. Just ask if you still have questions

I had come across this thread b4... But got no idea what's goin on...
I really have no idea what's going on in the if else statement... I dun quite understand... I can't recognise which name is for the database etc...

Sorry, i'm quite new to it... so pls bare with me...

Hope to get yr reply soon...

I also have a basic login/registration script that I wrote for newbies, and that was picked apart by some forum members until it worked right!:

http://www.solidscripts.com/displayscript.asp?sid=19

This one uses an access database, and relies upon cookies to validate the login. The file "checklogin.asp" would need to be included in every page. As a kindness, you could have a note to your "members" explaining that session cookies must be enabled for them to login.

It is almost the same as the thread raf had mentioned... I got no idea what's going on... I don't really understand the comments etc etc...

Can u help me by explaining?

Thanks...

Hi raf,

just went through your Admin with deferent profile stuff, really cool, thank.

Abd

Adb, your welcome.

heLLO,

if you've got punctual questions or problems, i'll surely (try to) help you. But you need to tell me where you need info on. Maybe start with the loginpage and tell me what you don't ubderstand.

Ok.. Thanks u for willing to help... :)

<meta http-equiv="content-type" content="text/html;charset=iso-8859-1">
<meta name="generator" content="Adobe GoLive 4">

What does meta and this 2 lines do?



sql="select user,pasword,voornaam,naam,profiel from gebruikers where user='loginuser'"
sql=replace(sql,"loginuser",gebruiker)
rsLogin.Open sql, conGranIT

if rsLogin.EOF=true then 'if the user isn't known in the database
Response.Write("<font color='red'>U bent niet bekend als gebruiker en kan dus niet verderwerken.</font>")
response.write("<br><br><a href='javascript:history.back();'>Teruggaan</a>")
else
if paswoord <> rsLogin.Fields("pasword") then 'controlin g pasword de database
response.write("<font color='red'>U heeft een foutief paswoord ingegeven</font>")
response.write("<br><br><a href='javascript:history.back();'>Teruggaan</a>")
else
session("securityprofile")=rsLogin.Fields("profiel") 'the profile (number) from the database is puth in the sessionvariable
session("user")=rsLogin.Fields("user")
response.write("Welkom " & rsLogin.Fields("voornaam") & " " & rsLogin.Fields("naam") &" .")
response.write("<br>Uw profiel is "& session("securityprofile"))


response.write("<br><br><b>Kies één van de onderstaande mogelijkheden:</b>")
response.write("<ul><font size='4'>")
response.write("<li><a href=nieuworder.html title='Een nieuwe bestelling invoeren'>Nieuwe order invoeren</a>")
if session("securityprofile") >= 1 then 'vanaf profiel = 1 mag je ook bestaande orders bekijken
response.write("<br><li><a href=orderzoeken.html title='Een bestelling opzoeken'>Bestaande order opzoeken</a>")
end if
if session("securityprofile") >=2 then
response.write("<br><li><a href=klantenbeheer.html title='Klantgegevens wijzigen, klanten toevoegen, ...'>Klantenbeheer</a>")
response.write("<br><li><a href=kostenbeheer.html title='Kostprijzen aanpassen'>Kostprijsbeheer</a>")
end if
response.write("</font></ul>")


end if


what does ("securityprofile") >= 1 and ("securityprofile") >=2 do? Are u checking 2 things?
Actually, i'm having problem with the language...

Sorry about the language. It's dutch. Early, quick and dirty work and that stuf. At the bottom, theres some cleaner code for for an other app. (english) Maybe easier that way



OK.
meta : just ignore that. It's some stuff my editor slips in when i create a new page. It just gives info on the page. Nothning to do with the code.

Basically, what happens is this. I validate the user ID and password. If this is ok, i store the profile of that user into a sessionvariable. I get the profile from the recordset that was used to select the password for that user.
(in this case named as rsLogin.Fields("profile"))

So this sessionvariable can now be used to determine if a user is permitted to open a page. Or, within a page, to determine which links will be in the page that is sent to the client.

what does ("securityprofile") >= 1 and ("securityprofile") >=2 do? Are u checking 2 things?

Well, on that page there was sort of a menu. Some links to different module. I check the value of the sessionvariable, and if it is high enough, i display the link. You can do this for each link. (on top of each of these page where the links point to, i again check the sessionvariables value). You can even apply different layout based on the profile. But the check is always on the same vsessionvariable.

NOTE : in the code below, is also set a sessionvariable (logonadmin) as an extra cause the regular site also had a profilecheck thingy and i didn't want to risk people being able to login to the admin-part cause someone gave them a wrong profilevalue)

Let me know if you got other questions/problems



<%
Dim user, password
password=request.form("password")
user=request.form("user")

if len(user) = 0 then
response.write("<font color='red'>Please enter your username.<br><br></font>")
response.write("<a href='javascript:history.back();'>Back</a>")
else
if len(password) = 0 then
response.write("<font color='red'>Pleas enter your pasword.<br><br></font>")
response.write("<a href='javascript:history.back();'>Back</a>")
else
%>
<!--#include file='conadmin.inc'-->

<%


dim rsLogin
set rsLogin = server.CreateObject("adodb.recordset")

dim sql
sql="select user_id, user_name, user_password, profile from users where user_name='loginuser'"
sql=replace(sql,"loginuser",user)
rsLogin.Open sql, conadmin

if rsLogin.EOF=true then
Response.Write("<font color='red'>Your username is incorrect.</font>")
response.write("<br><br><a href='javascript:history.back();'>Back</a>")
else

if password <> rsLogin.Fields("user_password") then
session("logintrys")= session("logintrys") + 1
if session("logintrys") < 3 then
response.write("<font color='red' size='15'>Your password is incorrect.Remember that paswords are 'case sensitive'.</font>")
response.write("<br><br><a href='javascript:history.back();'>Back</a>")
else
response.write("<font color='red' size='15'>You entered three incorrect passwords. You can not proceed.</font>")
response.write("<br><br><a href='javascript:window.close();'>Exit</a>")
end if
else
session("logintrys")="0"
session("logonadmin")=2
session("profile")=rsLogin.Fields("profile")

response.redirect("adminmain.asp")


end if
end if
rsLogin.Close
conadmin.Close

set rsLogin=nothing
set conadmin = nothing
end if
end if


%>

Thanks... yr kindness to explain all these is appreciated... :thumbsup:

("<br><br><a href='java script:history.back();'>Back</a>")

is the above code somehow "lock" the back function once the user logout?

What does <len> mean?

rsLogin.Open sql, conadmin --> What does the conadmin do?


logintrys--> Is it a variable?

session("profile")=rsLogin.Fields("profile") --> What does the profile in the database do with the session?

("<br><br><a href='java script:history.back();'>Back</a>")
No. It just displays a link on the clientside, that says "Back". If the user clicks it, he'll go back one page. Same as Backbutton in your toolbar.

What does <len> mean?
Len(string) returns the length of the string. I use it to check if the username and password were filled in. If not, i display a message. I do this check because this way, i save a db-cannection and save some runtimeresources.

rsLogin.Open sql, conadmin --> What does the conadmin do?
conadmin is my connection (the connection that was used to open the recordset) just replace it with yours

logintrys--> Is it a variable?
yes. each time there is entered a false password, this variable is incremented (=+1); tree false paswords means the window is clossed (session is kept alive, so if he had multiple windows open, he wound't still be able to continue)

session("profile")=rsLogin.Fields("profile")
if there a correct password, then the sessionvariable gets the value that was in the database in the profile variable; each userrecord has a value for this profil-variable.
once the sessionvariable holds this value, you can check it in any other asp page; the value is linked to the client by your webserver. so from then on, you can use the value to decide if the user is allowed to open a page or to see a link or whatever.

just with a
if session("profile") > 5 then
etc
end if

if he has a profile higher then 5, the code in the if then statement will be processed;

Thanks... I think i need some time to 'digest' the codes... That seem to be a pretty gd code to use...

just asking if u know any code that can "lock" the back button in the browser once the user log out...

no. if fact, that should be prohibitted (in my opion). but you can prevent the pages from being cached serversided by setting the expire to 0 or less. Like this

Response.Expires -1000

just insert thi on top of your page.
if it isn't cached, you cant navigate to it with the back button.

What does the -1000 do?

the number after response.expires, is the number of minutes before the page expires. So you would assume that 0 meant they expire immediately. But i believe this is actually not always the case. I believe the browser (the clients PC) checks the date of the page (when it was sent from the server) and then compares it with the current date to store it or remove it from the cache. But if the browsers time is set later then the servers time ...

So i always set it to -1000 or -10000

raf,

what do I add to the other pages, after validating the username and password.

Abd

after validating and setting the sessionvariable, you can check if a client is permitted to see the page. You can add something like this on top of the page:

<%
if session("profile") >= "9" 'If someone browses straight to this page, the value will be lower then 9. Buth we could also block this page for user with a profile lower the 2 or 3 or ...
response.write("Welcome blablablabla")
and all your other code
else
response.write("<font color='red' size='4'>You're trying to reach this page without login in. </font><br><br>")
response.write("<a href='javascript:history.back();'>Teruggaan</a>")
'we could also do something like this
'response.redirect("login.asp")
'and send them straight to the login page.
end if
%>


The thread on my first post gives some more info.

ok... Thanks...

It can still be back after adding the code Response.Expires -1000...

but with error...

Microsoft VBScript runtime error '800a01c3'

Object not a collection: 'Response.Expires'

logout.asp, line 8

sorry. my bad. :o it should be
Response.Expires = -1000

It's ok...

this time it works without error... but it is still able to back...

this time it works without error... but it is still able to back...
Sure about that? Did you delete the cache before trying it? Try deleting all cached files and then reload the page and see if it's in the cache after loadibg it.

How should i erase the cache?

Depends on your operating system and browser. Run a search for folders called "cache" and then delete the content from these directorys.

Thanks...
:)