Restrict Access Problem

[Paul]

Hi all, at present I I've built a website which can be updated by admin and
users.



My problem, I've combined "log in" and "access levels" to restrict access to
certain pages, using the built in "log in" and "user authentication,
restrict access to page" features. But I find the after login I constantly
get redirected from the restricted pages.

I.e. admin get redirected even though they meet the security level.



Can anyone help?



Below are portion of the code to help

I'm Using Dreamweaver MX 7.01 an XP SP 2.



Login database



Username password security

Peter bongo Admin

Patrick peach client



"Log in" web page code



*** Validate request to log in to this site.

MM_LoginAction = Request.ServerVariables("URL")

If Request.QueryString<>"" Then MM_LoginAction = MM_LoginAction + "?" +
Server.HTMLEncode(Request.QueryString)

MM_valUsername=CStr(Request.Form("username"))

If MM_valUsername <> "" Then

MM_fldUserAuthorization="security"

MM_redirectLoginSuccess="welldone.asp"

MM_redirectLoginFailed="Login.asp"

MM_flag="ADODB.Recordset"

set MM_rsUser = Server.CreateObject(MM_flag)

MM_rsUser.ActiveConnection = MM_LoginTest_STRING

MM_rsUser.Source = "SELECT username, password"

If MM_fldUserAuthorization <> "" Then MM_rsUser.Source = MM_rsUser.Source
& "," & MM_fldUserAuthorization

MM_rsUser.Source = MM_rsUser.Source & " FROM Login WHERE username='" &
Replace(MM_valUsername,"'","''") &"' AND password='" &
Replace(Request.Form("password"),"'","''") & "'"

MM_rsUser.CursorType = 0

MM_rsUser.CursorLocation = 2

MM_rsUser.LockType = 3

MM_rsUser.Open

If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then

' username and password match - this is a valid user

Session("MM_Username") = MM_valUsername

If (MM_fldUserAuthorization <> "") Then

Session("MM_UserAuthorization") =
CStr(MM_rsUser.Fields.Item(MM_fldUserAuthorization).Value)

Else

Session("MM_UserAuthorization") = ""

End If

if CStr(Request.QueryString("accessdenied")) <> "" And false Then

MM_redirectLoginSuccess = Request.QueryString("accessdenied")

End If

MM_rsUser.Close

Response.Redirect(MM_redirectLoginSuccess)

End If

MM_rsUser.Close

Response.Redirect(MM_redirectLoginFailed)

End If

%>















Restricted web page



<%

' *** Restrict Access To Page: Grant or deny access to this page

MM_authorizedUsers="Admin"

MM_authFailedURL="NoPermission.asp"

MM_grantAccess=false

If Session("MM_Username") <> "" Then

If (false Or CStr(Session("MM_UserAuthorization"))="") Or _

(InStr(1,MM_authorizedUsers,Session("MM_UserAuthorization"))>=1)
Then

MM_grantAccess = true

End If

End If

If Not MM_grantAccess Then

MM_qsChar = "?"

If (InStr(1,MM_authFailedURL,"?") >= 1) Then MM_qsChar = "&"

MM_referrer = Request.ServerVariables("URL")

if (Len(Request.QueryString()) > 0) Then MM_referrer = MM_referrer & "?" &
Request.QueryString()

MM_authFailedURL = MM_authFailedURL & MM_qsChar & "accessdenied=" &
Server.URLEncode(MM_referrer)

Response.Redirect(MM_authFailedURL)

End If

%>

 

[Christopher Williams]

I say redirecting users around like that is a bad idea.
You should be dynamically tailoring the content based on who is logged in,
not redirecting people all over the place. It is only going to cause issues
and complicate things because even after the redirect you still need to make
sure the places you send them only allow the intended users. Your basically
doing a lot more work than you need to.

Christopher Williams
www.PowerASP.com
www.CJWSoft.com

 

[Paul]

Hi Christopher, at present my admin pages are visible by everybody. I'm
trying to prevent this whilst giving certain users more administrative
features. I'm assuming that I would still use access level if I dynamically
tailored the content? If so there lays my problem. For something which
should seem so simple I'm having a nightmare. I've use the built in "log in"
and "restrict access" features in Dreamweaver but they don't seem to work.
Is there any special preparation, session or something? All I'm using for
login, is a login database containing username, password, accesslevel,
fields, all spelt correctly.



I feel the sessions aren't getting passed from the login paged. Is there any
way of checking this?





' *** Restrict Access To Page: Grant or deny access to this page

MM_authorizedUsers="Admin"

MM_authFailedURL="NoPermission.asp"

MM_grantAccess=false



If Session("MM_Username") <> "" Then

If (false Or CStr(Session("MM_UserAuthorization"))="") Or _

(InStr(1,MM_authorizedUsers,Session("MM_UserAuthorization"))>=1)
Then

MM_grantAccess = true

End If

 

[Christopher Williams]

well, I wont lie to you.
I sell this and it would probably solve all your problems as it takes care
of everything for you.

www.aspprotect.com

You need to ask yourself if all this time you are spending on this is worth
the aggrevation or if it is better to just buy something that takes care of
it and has been time tested.

I don't think you are going to get the answers you are looking for in these
newgroups.

Take Care,
--
Christopher Williams

www.PowerASP.com
www.CJWSoft.com