Problems with login script

Hi all, i am having problems with the login script: this is the validate script:
<%
'Save the entered username and password
Username = Request.Form("Username")
Password = Request.Form("Password")

'Build connection with database
set conn = server.CreateObject ("ADODB.Connection")
conn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & server.MapPath ("netteh.mdb")
set rs = server.CreateObject ("ADODB.Recordset")
'Open record with entered username
rs.Open "SELECT * FROM Students where Username='"& Username &"'", conn, 1

'If there is no record with the entered username, close connection
'and go back to login with QueryString
If rs.recordcount = 0 then
rs.close
conn.close
set rs=nothing
set conn=nothing
Response.Redirect("login.asp?login=namefailed")
end if

'If entered password is right, close connection and open mainpage
if rs("password") = Password then
Session("name") = rs("Firstname")
rs.Close
conn.Close
set rs=nothing
set conn=nothing
Response.Redirect("default.asp")
'If entered password is wrong, close connection
'and return to login with QueryString
else
rs.Close
conn.Close
set rs=nothing
set conn=nothing
Response.Redirect("login.asp?login=passfailed")
end if

%>

I have another question: how do you display sessions like for example the username and how do you display tables on the screen? I know in coldfusion there is usually an application file that usually contains sessions built in. Any help with the login script or a new one and the other question would be great.

Thanx

Next time, please use http://www.tf3.net/images/emot-code.gif tags.

It would also help if you gave us the error that you get.

I tested the code and created a simple access db and it worked fine.
1) I redirected to "default.asp" with a correct username and password.
2) I redirected to "login.asp?login=namefailed" with an incorrect username.
3) I redirected to "login.asp?login=passfailed" with an incorrect password.

You need to tell us exactly what your error is.

Edit:
Sessions: http://www.w3schools.com/asp/asp_sessions.asp
<%
Response.Write Session("name")
%>

Thanks it worked it was an error on my part

are we allowed to say that your script is insecure and inefficient or doesn't that intrest you/will that offend you?

Raf is right, having your script run the way it is can allow someone to crack into the admin account. Not a very secure way of finding out if the username is in the database.

Hey Raf, Morgoth
Would you guys take a look at code I'm using pls does this also suffer from being insecure and inefficient, any suggestions appreciated.

Thanks
J.C


<%@LANGUAGE="VBSCRIPT" CODEPAGE="1252"%>
<%
Option Explicit

Dim cnnLogin
Dim rstLogin
Dim strUsername, strPassword
Dim strSQL
Dim strName
strName = "valid"

%>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Block Sales Leads (LGIN)</title>
<link rel="stylesheet" type="text/css" href="Block_Style.css">
</head>

<body>
<SCRIPT LANGUAGE=vbscript>
<!--
Sub window_onload
logform.login.focus
End sub
-->
</Script>
<div id="container">
<div id="header">
<h1>Ridley Block Operations<br/>
Sales Leads</h1>
<h3>Login Page</h3>
</div>
<div id="content">
<div id="menu">
</div>
<div id="content2">
This site is for RFI Block OFFICAL use only.
<h2> </h2>
<%
If Request.Form("action") <> "validate_login" Then
%>
<form name="logform" id="logform" method="post" action="index.asp">
<input type="hidden" name="action" value="validate_login" />
<table border="0">
<tr>
<td align="right">User-ID:</td>
<td><input type="text" name="login" name="login" /></td>
</tr>
<tr>
<td align="right">Password:</td>
<td><input type="password" name="password" /></td>
</tr>
<tr>
<td align="right"></TD>
<td><input type="submit" VALUE="Login" /></td>
</tr>
</table>
</form>
<%
Else
strSQL = "SELECT * FROM tblLoginInfo " _
& "WHERE username='" & Replace(Request.Form("login"), "'", "''") & "' " _
& "AND password='" & Replace(Request.Form("password"), "'", "''") & "';"

Set cnnLogin = Server.CreateObject("ADODB.Connection")
cnnLogin.Open("DRIVER={Microsoft Access Driver (*.mdb)};" _
& "DBQ=" & Server.MapPath("Data\login.mdb"))

Set rstLogin = cnnLogin.Execute(strSQL)

If Not rstLogin.EOF Then
Session("LoggedIn") = True
Response.redirect "SalesLeads_Menu.asp"
%>
<%
Else
%>
<div align="center">
<p align="center"><font size="4" face="arial,helvetica"><strong>
Login Failed - Please verify username and password.
</strong></font></p>
<p align="center">
<a href="index.asp">Return to Login Screen</a>
</p>
</div>
<%
'Response.End
End If

' Clean Up
rstLogin.Close
Set rstLogin = Nothing
cnnLogin.Close
Set cnnLogin = Nothing
End If
%>
</div>
</div>
</div>
<div id="footer">
For comments, questions or report dead links - Please E-Mail <a href="mailto:webmaster@ridleyinc.com&amp;subject=Web%20Page%20Request&amp;Body=Line%20Please%20enter%20your%20requ est%20here" style="color: #FFFFFF">Webmaster</a>
</div>
</div>
</body>
</html>

Hey Raf, Morgoth
Would you guys take a look at code I'm using pls does this also suffer from being insecure and inefficient, any suggestions appreciated.

Thanks
J.C

Learn more about SQL Injection Attack (http://www.sitepoint.com/article/sql-injection-attacks-safe)

Learn more about SQL Injection Attack (http://www.sitepoint.com/article/sql-injection-attacks-safe)

There is a pdf file of the white papers some where, I will see if I can find it. :thumbsup: