...

View Full Version : About Locking Pages?



j3nnif3r
08-08-2004, 10:05 PM
Hi.

I POSTED in the wrong forum yesterday (in Javascript forum, but I think i meant to post in this ASP Forum. Sorry about the confusion, and I have already made a note on the other forum. Please disregard the post in the other forum. Sorry.)


But I wanted to ask if there is a way i guess to perhaps "lock" pages with some sort of javascript? I want to make my website so that if a user wanted to view other pages besides the homepage, the login page would be generated and they would have to log in first, then they would be allowed to be view the other pages.

Also, after the user has logged in, they will see the URLs of the pages besides the homepage. The next time the user returns to my website, if the user decides to just type in the URLs of the other pages besides the homepage, I want the login page to be prompted, thus preventing users from just viewing my website without logging in.

Lastly, I wanted to also ask if the "lock" javascript would be the same to prevent the user from clicking the "BACK" button and returning to the website pages AFTER they have logged out?? If the script is not the same, what would it be?


Can anyone help me with a script to prevent this??

P.S. I am using ASP for my website.


Thanks in advance. Your help is greatly appreciated. :)


-j3nnif3r.

Roy Sinclair
08-09-2004, 04:59 PM
Do these pages all exist already and you're wanting to add this or is this a new project and you're looking at how you'll accomplish this task?

j3nnif3r
08-10-2004, 02:28 AM
Hi Roy.

I have already created the pages for the website. I just want to implement the locking of the pages so that a user who has not logged into the website cannot access any other pages other than the homepage, and that after a user logs into the website, that they are allowed to view any pages within the website.

Noting the fact that after a user logs out, even if they have not closed the browser window, the user may not click the back button and return to the page they were previously viewing.

Can you help me with this??

Thank you in advance.

-j3nnif3r.

glenngv
08-10-2004, 03:00 AM
When a user logs in successfully to the site, set a session variable then in every page, check for the existence of that session variable. When the session variable does not exist, redirect to the login page. When the user logs out destroy the session variable.

j3nnif3r
08-10-2004, 03:50 AM
Hi Glenn.

Could you help me with the script for the session variable and where i would incorporate the script in my pages?? Thank you for your response.


-j3nnif3r.

glenngv
08-10-2004, 04:31 AM
Put this in your script when login is successful

session("user") = username

The username variable contains whatever the username of the currently login user is. You may choose to put different user info there.

Then put this at the very beginning of each of the asp page:


if session("user")="" then
response.redirect "login.asp"
response.end
end if

You may put that code in an external file and include it in every asp page.

sxar
08-10-2004, 05:22 AM
Hey

First of all I would recommend against using the Session Variable method and storing a username in a session variable as it would be a hacking paradise.

Generate a Code every time a person logs in and there password and username mactches. Store the code in a cookie and in the database. Then match the passwords up each time a person tries to access a restricted page.

e.g)
Add this to a Login File

Use the Code Below to generate a Code if the Login is OK. (Untested)
Add this after the password and username match!

Dim strCode
Dim strVariable
Do Until Len(strCode) => 30
Randomize()
strVariable = Int(Rnd * 1000) Mod 15
If strVariable >= 1 AND strVariable <= 9 Then
strCode = strCode & strVariable
ElseIf strVariable = "10" Then
strCode = strCode & "a"
ElseIf strVariable = "11" Then
strCode = strCode & "b"
ElseIf strVariable = "12" Then
strCode = strCode & "c"
ElseIf strVariable = "13" Then
strCode = strCode & "d"
ElseIf strVariable = "14" Then
strCode = strCode & "e"
ElseIf strVariable = "15" Then
strCode = strCode & "f"
Else strCode = strCode & "z"

End If
Loop

'Set the Variable to the Cookie
Response.Cookies("cookiename")("Code") = strCode
'Set the Variable to the Recordset
rsMyRecordset.Fields("codecolumn") = strCode
rsMyRecordSet.Update

Use this to check your pages
If Request.Cookies("cookiename")("Code") <> rsMyRecordset("codecolumn") Then
Response.Redirect("login.asp")
End If

ghell
08-10-2004, 03:54 PM
personally i prefer to just do glen's session thing but with cookies and just encrypt/decrypt the cookies whenver you want, there are various asp tutorials out there on encryption and you can mix and match how you want and put this in a function that will do it all for you so you can just write with

dataToEncrypt = "someperson"
encryptionkey = "somerandomencryptionkey"

response.cookies("username") = (myEncrypt(dataToEncrypt, encryptionkey))

and read with
if dataToEncrypt <> myDecrypt(request.cookies("username"), encryptionkey) then response.redirect "logout.asp"

where logout.asp would wipe the cookies they have and redirect to the login page

i try to put all my login data in 1 cookie and then split it when its being read

Roy Sinclair
08-10-2004, 04:17 PM
I forgot to ask whether this was an Intranet application or an Internet application. For the former, you can set up IIS to use their network login and make your pages secure behind the network but for the internet you need to look at one of these schemes. Please be aware that sessions carry an overhead so a high volume web site will run out of resources much sooner so the exact approach you need to take will depend on how much traffic you expect both now and in the future.

None of the solutions offered so far are complete answers yet but with a little more information I think we can direct you to a complete answer.

j3nnif3r
08-11-2004, 03:05 PM
Hi.

I think perhaps i may have used the wrong term, I meant that i want to SECURE the pages on my website. I am using the internet.

I have created a default page at the moment where anyone who first visits my website will see the homepage, but it will be the default.htm page. On this default homepage, the search box and links are visible to the user, but they are non-useable, so that any visitor to my page cannot access any of the pages in my website.

I want the user to first log in, then they will be directed to the ACTUAL website with the homepage now being homepage.htm where all the links and searchbox are now accessable to the user. After the user has logged in, he/she will have seen the URLs of the pages within my website.

After the user logs out, i want to prevent them from just typing in the URLs of the pages within my website, and then gaining successful access to the website - I WANT the user to always need to sign in before accessing any pages in my website.

I hope this updated information may help anyone who would like to help me.

Thanks everyone for your help. I greatly appreciate it.


-j3nnif3r.

j3nnif3r
08-11-2004, 03:08 PM
Also, I wanted to add that after a user logs out, I want them to successfully log out, so that they MAY NOT hit the back button and return to the page they were previously viewin


-j3nnif3r.

abacus
08-11-2004, 07:06 PM
I have a somewhat similar problem; and I'll start another thread just to describe my situation (hope that starting a similar thread isn't frowned upon).
Look for "Damned BACK button reads from cache & ignores "Expires" meta-tag
" in the subject line.

j3nnif3r
08-12-2004, 10:25 PM
Hi abacus.

I have the same problem occuring, but however, that is NOT my only problem. Could anyone else help?


THis is what I needed assistance on:

think perhaps i may have used the wrong term, I meant that i want to SECURE the pages on my website. I am using the internet.

I have created a default page at the moment where anyone who first visits my website will see the homepage, but it will be the default.htm page. On this default homepage, the search box and links are visible to the user, but they are non-useable, so that any visitor to my page cannot access any of the pages in my website.

I want the user to first log in, then they will be directed to the ACTUAL website with the homepage now being homepage.htm where all the links and searchbox are now accessable to the user. After the user has logged in, he/she will have seen the URLs of the pages within my website.

After the user logs out, i want to prevent them from just typing in the URLs of the pages within my website, and then gaining successful access to the website - I WANT the user to always need to sign in before accessing any pages in my website.




Thank you in advance to anyone who may help me resolve this problem.


Roy, I hope this gives you a better understanding of what I am trying to achieve with my website.



-j3nnif3r.

miranda
08-12-2004, 10:48 PM
Jennifer,

Using either method shown by Glenn and sxar will work. However keep in mind that you will need to rename each page to .asp instead of .html . The method Glenn shows is what I have used on a number of sites that do not have a large server load.


using this method you would do this to each page that is restricted

<%
if session("user")="" then
response.redirect "login.asp"
response.end
end if

%>
<html>
<head>
<title></title>
</head>
<body>

</body>
</html>


The logout.asp page only needs the following code


session("user") = ""
session.abandon
'you can redirect the user to the home page
Response.Redirect "default.htm"

Roy Sinclair
08-13-2004, 05:10 PM
Jennifer,

You've got some solutions offered here that'll work fine as long as your site doesn't start taking hundreds of hits per minute. If you expect a high volume of activity then using ASP session variables becomes a problem and you'll have to switch to using session cookies instead but that will make your site inaccessible to anyone who's blocking session cookies (there'll only be a few of those though).

If the users taking advantage of the "Back" button is also a problem then you may also have to change your links to use the "location.replace" mechanism to prevent the history used by the back button from being created that will however also block the use of the back button while a user is still logged in and may irritate your users. Be very careful about modifying any aspect of how the users interact with their browsers and only do so when the need for that is truly important.

j3nnif3r
08-14-2004, 07:35 PM
Hi Miranda.

I tried the script, but it did not work. I think i may be doing something wrong, could you help me?? I think it may be because I have not had a logout.asp page before. But i used your script for logout.asp, but is that all the scripting needed for the logout.asp page? Thanks again for your help.



-j3nnif3r.

miranda
08-15-2004, 06:59 AM
Hi Jennifer, what part does not work? Let's start from the beginning. On the page that handles the log in script you would have some code similar to the file I have attached that says login.asp. Then on every page that requires the user to be logged in you would use something similar to mynetwork.asp. Finally I have the logout page.

BTW these are all pages on one of my current projects.

I hope this helps

ghell
08-16-2004, 04:01 PM
most of my prev post was just about encrypting the cookies because they are stored on the client machine as plaintext (which is dodgy if you are storing sensitive data or you dont want it changed to log in as someone they arent) but i did just say the session thing with cookies instead.. didnt say anything about the back thing but you could probably use javascript on each page to check that there is no forward history and if there is redirect them to the logout page

this javascript is probably something like

if(history.go(1) != null) location.href = "http://.......logout.asp"
EDIT: however im not sure if this will hold a value or if you cna use it without the go or what since i never use the javascript history thing...anyway.. onto the login security thing..



when they log in it sets the cookie:


Response.Cookies("username") = strTheirUserName
Response.Cookies("username").Expires = Date +1 'will expire the cookie at the next server midnight so set the time/date you want

on each page perform

if Request.Cookies("username") = "" then Response.Redirect "logout.asp"

on logout.asp put

Response.Cookies("username").Expires = date - 1 'if the expiry date is yesterday it will delete the cookie
Response.Redirect "login.asp"



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum