session variable inconsistency

[Geoff Winsor]

Hi,
I am experiencing a problem with recalling a session variable which stores
whether a person is logged in to a "members only" section of a website. This
area of the site has been working flawlessly for a couple of years under
Windows 2000 server but now is very inconsistent following a recent upgrade
to Windows server 2003. Following a login, the login info is passed to this
asp page that checks an Access database for the user name and password:

SET DbObject = Server.CreateObject ("ADODB.Connection")
DbObject.Open "DSN=pseudoCAP1;UID=;PWD="
set rs = server.createobject("adodb.recordset")
SET Rs = DbObject.Execute (SQL)

If Rs.EOF Then
Session("Authenticated") = 0
Response.Redirect ("unsuccessfulLogin.htm")
Else
Session("Authenticated") = 1
Session("user") = Request.Form("username")
End If
rs.close
set rs = nothing
DbObject.Close
set DbObject = nothing
response.redirect "main.asp"

If a correct password and username is provided, the user is always forwarded
to the main.asp member start page. I included a snippet of code while
troubleshooting to print the value of the authentication session variable
in the browser window to see if it was set (1=logged in, 0= not logged in).
However about 50% of the time, the following error occurs with our access
database and Authentication session variable is output as = 0:
ADODB.Field error '800a0bcd'
Either BOF or EOF is True, or the current record has been deleted. Requested
operation requires a current record.

C:\INETPUB\WWWROOT\SUBMISSIONS\../include/functions.inc, line 4



The way that this page is written though, even if the record was not present
(although it is when I open the database), the authentication should still
be set to 1. Refreshing the main.asp page will often eliminate the ADODB
error above and the session variable value of 1 will be returned.

The rest of the time, authentication is OK and a value of 1 is output.
However when the user goes to another page requiring authentication, they
are redirected back to the login.html page because the authentication
variable is once again set as zero!

Could this be an IIS 6.0 specific problem (I do have session state enabled
at default value of 20 min) ??

Or could there be some permissions problem related to a specific file (I
have checked the database as well as the related files and they all seem
OK)?

Thanks,
Geoff

 

[Geoff Winsor]

Hi James,
Here is the code for login.html, verify.asp (sets the session variable),
main.asp, a method in the functions.inc file (which contains a line referred
to in the previous error message) and a snippet of code from options.asp
that checks to see if the authentication variable is set. I hope it is not
too messy too read.

The important code for the login page:

<form action=verify.asp method=Post
enctype="application/x-www-form-urlencoded" name=start
Onsubmit="return validateForm(this);">
<table border=0 cellpadding=0 width="22%"
style='width:22.0%;mso-cellspacing:
1.5pt;mso-padding-alt:2.25pt 2.25pt 2.25pt 2.25pt'>
<tr><td width="47%" style='width:47.0%;padding:2.25pt 2.25pt 2.25pt
2.25pt'>
<p class=MsoNormal>Username:&nbsp;</p>
</td> <td width="53%" style='width:53.0%;padding:2.25pt 2.25pt 2.25pt
2.25pt'>
<p class=MsoNormal><INPUT TYPE="text" SIZE="15" NAME="username"></p>
</td></tr><tr>
<td width="47%" style='width:47.0%;padding:2.25pt 2.25pt 2.25pt 2.25pt'>
<p class=MsoNormal>Password:</p></td>
<td width="53%" style='width:53.0%;padding:2.25pt 2.25pt 2.25pt 2.25pt'>
<p class=MsoNormal><INPUT TYPE="password" SIZE="15" NAME="password"></p>
</td></tr><tr>
<td colspan=2 style='padding:2.25pt 2.25pt 2.25pt 2.25pt'>
<p class=MsoNormal><INPUT TYPE="submit" ACTION="verify.asp"
METHOD="Post" NAME="submit"
ACTION=verify.asp METHOD=Post></p>
</td></tr></table>
</form>

The asp code for the verify.asp page:

<%
SQL ="SELECT * FROM Researcher WHERE StrComp('" & Request.Form("username")
& "', ResearcherID, 0)=0 AND StrComp(UserPassword, '" &
Request.Form("password") & "', 0)=0"
SET DbObject = Server.CreateObject ("ADODB.Connection")
DbObject.Open "DSN=pseudoCAP1;UID=;PWD="
set rs = server.createobject("adodb.recordset")
SET Rs = DbObject.Execute (SQL)
If Rs.EOF Then
Session("Authenticated") = 0
Response.Redirect ("unsuccessfulLogin.htm")
Else
Session("Authenticated") = 1
Session("user") = Request.Form("username")
End If
rs.close
set rs = nothing
DbObject.Close
set DbObject = nothing
response.redirect "main.asp"
%>

The main.asp page (does not check for a login but provides links to pages
that do need an authentication):

<%@ Language=VBScript %>
<SCRIPT LANGUAGE="JavaScript" src="include/help_windows.js"></SCRIPT>
<!--#INCLUDE FILE="../include/functions.inc"-->
<%
'Declare ADOVBS constants
Const adOpenStatic = 3
Const adLockOptimistic = 3
Const adCmdText = &H0001
SQL = "SELECT * FROM Researcher R LEFT OUTER JOIN Institution I ON I.iName
= R.Institution AND I.Street = R.Street AND I.City = R.City WHERE
ResearcherID = '" & Session("user") &"'"
SET DbObject = Server.CreateObject ("ADODB.Connection")
DbObject.Open "DSN=pseudoCAP1"
set RS = server.createobject("adodb.recordset")
RS.Open SQL, DbObject, adOpenStatic, adLockOptimistic, adCMDText
%>
<p align="center"><form METHOD="post" NAME="query"
ACTION="../UpdatesSearchResultsU.asp" target=_blank
onMouseOut="MM_swapImgRestore()"
onMouseOver="MM_swapImage('history','','/images/viewHistory2.gif',1)"
onSubmit="return validRange(this);">
<input id="SearchStr1a" type="hidden" name="SearchStr1a" value="">
<input id="SearchStr1b" type="hidden" name="SearchStr1b" value="">
<input id="SearchStr1a_m" type="hidden" name="SearchStr1a_m" value="">
<input id="SearchStr1a_d" type="hidden" name="SearchStr1a_d" value="">
<input id="SearchStr1a_y" type="hidden" name="SearchStr1a_y" value="">
<input type="hidden" name="ord1" value="date_updated">
<input id="SearchStr1b_m" type="hidden" name="SearchStr1b_m" value="">
<input id="SearchStr2a_d" type="hidden" name="SearchStr1b_d" value="">
<input id="SearchStr2a_y" type="hidden" name="SearchStr1b_y" value="">
<input id="SearchStr4" type="hidden" name="SearchStr4"
maxlength="255">
<input id="viewRecent" type="hidden" name="viewRecent" value="false">
<input id="Field2" type="hidden" name="Field2" value="Participant">
<input id="SearchStr2" type="hidden" name="SearchStr2"
value="<%=getField(RS, "rLastName")%>">
<input name="history" type="image" border="0"
src="/images/viewHistory.gif" width="224" height="26" alt="View Submission
History">
</form></p><p>&nbsp;</p><p>If you have not already logged in, you will
have to do so <a href="login.html">here</a>.</p></td></tr></table>
<%
rs.Close
Set rs = Nothing
DbObject.close
Set DbObject = Nothing
%>
<p>&nbsp;</p>
</center>
</BODY>
</HTML>

A functions.inc file contains this function that is called in the form above
and is sometimes returned:

function getField(oRs, fieldIndex)
Strtemp = oRs(fieldIndex) ### this is the line referred to in
the error returned in my browser###
if isnull(strtemp) then
getField = ""
else
getField = Strtemp
end if
end function


Finally each page linked to from the main.asp page checks for the value of
the "Authentication" session variable:

<%
' Verify that the user has logged in
If Session("Authenticated") = 0 Then
Response.Redirect ("login.html")
End If
%>

I guess that is it. Thanks.
Geoff

 

[James Baker]

Could you post your code?

 

[Geoff Winsor]

I think I found the source of the problem:

Last week I was experimenting with assigning more than one worker process to
the web garden under the application pool properties in IIS 6.0 (because I
had an incident where IIS stopped serving ASP pages, possibly due to a bug
in the jet database engine when using ODBC). From my limited understanding
of IIS it seems that during one session, multiple worker processes may be
assigned and that they don't have access to the session variable assigned to
another process; hence the reason for being forwarded to the login.html
page. I guess the occassional error on the main.asp page is a separate
matter.
Anyway, I switched back to allowing only one worker process and the problem
seems resolved.
Geoff