E
Eugene Anthony
In my login.asp I have the following code:
<!--#include file="database_Function.asp"-->
<%
Dim sSessionID, sMessage
If Len(Request.Form("cmdSubmit")) > 0 then
mySQL = "EXECUTE usp_CheckLogin @usid='" &
Trim(Lcase(Request.Form("usid"))) & "',@password='" +
Trim(Request.Form("password")) & "'"
call updateDB(mySQL, rs)
sSessionID = rs.Fields(0).Value
rs.close()
CloseDB()
end if
if Len(Trim(Lcase(Request.Form("usid")))) > 0 AND
Len(Trim(Request.Form("password"))) > 0 then
If sSessionID = -1 Then
SMessage = "username or password invalid"
else
response.write "<input type='hidden' name='sSessionID' value="
& sSessionID & ">"
Response.Redirect ("home.asp?id=" & sSessionID)
end if
end if
%>
<html><head><title>login page</title></head>
<body>
<form method="post" action="login.asp">
<table>
<tr><td colspan="2"><h3>Login Page</h3></td></tr>
<tr><td colspan="2"><% = sMessage%></td></tr>
<tr>
<td>user name<td>
<td><input type="text" name="usid"
value="<% = Request.Form("usID")%>"></td>
</tr>
<tr>
<td>password<td>
<td><input type="password" name="password"
value="<% = Request.Form("password")%>"></td>
</tr>
<tr>
<td> <td>
<td><input type="submit" name="cmdSubmit" value="login"></td>
</tr>
</table>
</form>
</body>
</html>
In my home.asp I have the following code:
<!--#include file="database_Function.asp"-->
<%
if Len(Request.QueryString("id")) = 0 then
response.redirect "login.asp"
end if
Tem = Trim(Lcase(Request.QueryString("id")))
Tem = replace(Tem,"{","")
Tem = replace(Tem,"}","")
mySQL = "EXECUTE usp_CheckSessionID @sessionID='" & Tem & "'"
call updateDB(mySQL, rs)
if rs.Fields(0).Value = -1 then
response.redirect "login.asp"
end if
CloseDB()
%>
In my database_Function.asp I have the following code:
<%
dim objConn,rs
sub openDB()
set objConn = Server.CreateObject("ADODB.Connection")
objConn.Open "PROVIDER=SQLOLEDB;DATA
SOURCE=127.0.0.1;UID=mama;PWD=papa;DATABASE=Godson"
end sub
sub updateDB(SQL,rs)
openDB()
set rs = objConn.Execute(SQL)
end sub
sub getFromDB(SQL,rs,filename)
openDb()
set rs = Server.CreateObject("ADODB.Recordset")
rs.lockType = adLockReadOnly
rs.cursorType = adOpenStatic
rs.Open SQL, objConn
end sub
sub closeDB()
objConn.Close
set objConn = nothing
end sub
%>
These are tables and procedures created in ms sql:
create table tbl_users
(
SessionID varchar(255) Primary Key,
usID Varchar(20),
Password Varchar(20),
LastUpdate Smalldatetime
);
Create Procedure usp_CheckSessionID
@sessionID Varchar(255)
As SET NOCOUNT ON
if EXISTS(SELECT top 1 * FROM tbl_users WHERE sessionID=@sessionID
AND DATEDIFF(n,LastUpdate,GETDATE())<=20)
begin
update tbl_users set LastUpdate = GETDATE() WHERE
sessionID=@sessionID
Select 0
end
else
Select -1
Return
GO
create procedure usp_CheckLogin
@usID Varchar(20),
@password varchar(20)
As SET NOCOUNT ON
Declare @sessionID as UNIQUEIDENTIFIER
Declare @session as Varchar(255)
if exists(Select top 1 * from tbl_users where usID=@usID AND
password=@password)
Begin
set @sessionID = NEWID()
set @session = CONVERT(Varchar(255),@sessionID)
Update tbl_users Set sessionID=@session,LastUpdate=GetDate() where
usID = @usID and password = @password
Select @sessionID
End
else
Select -1
Return
GO
Everything works fine. However there is a problem. The problem is:
In my login.asp page requires me to enter the username and password. It
works fine. When I enter a valid username and password it will redirect
me to home.asp with a link as followed for example
http://localhost/Eugene/home.asp?id={D8E3C5D2-DEFD-4F99-8F35-AC0CF848150
5}.
This works fine. However in terms of security this link
http://localhost/Eugene/home.asp?id={D8E3C5D2-DEFD-4F99-8F35-AC0CF848150
5} will work for as long as (SELECT top 1 * FROM tbl_users WHERE
sessionID=@sessionID AND DATEDIFF(n,LastUpdate,GETDATE())<=20) even when
I close my browser window, open it again and type
http://localhost/Eugene/home.asp?id={D8E3C5D2-DEFD-4F99-8F35-AC0CF848150
5}.
Is there a way to keep id={D8E3C5D2-DEFD-4F99-8F35-AC0CF8481505} hidden
across different pages for security purpose without using session
variables, cookies and querystring.
Your help is kindly appreciated.
Regards
Eugene Anthony
<!--#include file="database_Function.asp"-->
<%
Dim sSessionID, sMessage
If Len(Request.Form("cmdSubmit")) > 0 then
mySQL = "EXECUTE usp_CheckLogin @usid='" &
Trim(Lcase(Request.Form("usid"))) & "',@password='" +
Trim(Request.Form("password")) & "'"
call updateDB(mySQL, rs)
sSessionID = rs.Fields(0).Value
rs.close()
CloseDB()
end if
if Len(Trim(Lcase(Request.Form("usid")))) > 0 AND
Len(Trim(Request.Form("password"))) > 0 then
If sSessionID = -1 Then
SMessage = "username or password invalid"
else
response.write "<input type='hidden' name='sSessionID' value="
& sSessionID & ">"
Response.Redirect ("home.asp?id=" & sSessionID)
end if
end if
%>
<html><head><title>login page</title></head>
<body>
<form method="post" action="login.asp">
<table>
<tr><td colspan="2"><h3>Login Page</h3></td></tr>
<tr><td colspan="2"><% = sMessage%></td></tr>
<tr>
<td>user name<td>
<td><input type="text" name="usid"
value="<% = Request.Form("usID")%>"></td>
</tr>
<tr>
<td>password<td>
<td><input type="password" name="password"
value="<% = Request.Form("password")%>"></td>
</tr>
<tr>
<td> <td>
<td><input type="submit" name="cmdSubmit" value="login"></td>
</tr>
</table>
</form>
</body>
</html>
In my home.asp I have the following code:
<!--#include file="database_Function.asp"-->
<%
if Len(Request.QueryString("id")) = 0 then
response.redirect "login.asp"
end if
Tem = Trim(Lcase(Request.QueryString("id")))
Tem = replace(Tem,"{","")
Tem = replace(Tem,"}","")
mySQL = "EXECUTE usp_CheckSessionID @sessionID='" & Tem & "'"
call updateDB(mySQL, rs)
if rs.Fields(0).Value = -1 then
response.redirect "login.asp"
end if
CloseDB()
%>
In my database_Function.asp I have the following code:
<%
dim objConn,rs
sub openDB()
set objConn = Server.CreateObject("ADODB.Connection")
objConn.Open "PROVIDER=SQLOLEDB;DATA
SOURCE=127.0.0.1;UID=mama;PWD=papa;DATABASE=Godson"
end sub
sub updateDB(SQL,rs)
openDB()
set rs = objConn.Execute(SQL)
end sub
sub getFromDB(SQL,rs,filename)
openDb()
set rs = Server.CreateObject("ADODB.Recordset")
rs.lockType = adLockReadOnly
rs.cursorType = adOpenStatic
rs.Open SQL, objConn
end sub
sub closeDB()
objConn.Close
set objConn = nothing
end sub
%>
These are tables and procedures created in ms sql:
create table tbl_users
(
SessionID varchar(255) Primary Key,
usID Varchar(20),
Password Varchar(20),
LastUpdate Smalldatetime
);
Create Procedure usp_CheckSessionID
@sessionID Varchar(255)
As SET NOCOUNT ON
if EXISTS(SELECT top 1 * FROM tbl_users WHERE sessionID=@sessionID
AND DATEDIFF(n,LastUpdate,GETDATE())<=20)
begin
update tbl_users set LastUpdate = GETDATE() WHERE
sessionID=@sessionID
Select 0
end
else
Select -1
Return
GO
create procedure usp_CheckLogin
@usID Varchar(20),
@password varchar(20)
As SET NOCOUNT ON
Declare @sessionID as UNIQUEIDENTIFIER
Declare @session as Varchar(255)
if exists(Select top 1 * from tbl_users where usID=@usID AND
password=@password)
Begin
set @sessionID = NEWID()
set @session = CONVERT(Varchar(255),@sessionID)
Update tbl_users Set sessionID=@session,LastUpdate=GetDate() where
usID = @usID and password = @password
Select @sessionID
End
else
Select -1
Return
GO
Everything works fine. However there is a problem. The problem is:
In my login.asp page requires me to enter the username and password. It
works fine. When I enter a valid username and password it will redirect
me to home.asp with a link as followed for example
http://localhost/Eugene/home.asp?id={D8E3C5D2-DEFD-4F99-8F35-AC0CF848150
5}.
This works fine. However in terms of security this link
http://localhost/Eugene/home.asp?id={D8E3C5D2-DEFD-4F99-8F35-AC0CF848150
5} will work for as long as (SELECT top 1 * FROM tbl_users WHERE
sessionID=@sessionID AND DATEDIFF(n,LastUpdate,GETDATE())<=20) even when
I close my browser window, open it again and type
http://localhost/Eugene/home.asp?id={D8E3C5D2-DEFD-4F99-8F35-AC0CF848150
5}.
Is there a way to keep id={D8E3C5D2-DEFD-4F99-8F35-AC0CF8481505} hidden
across different pages for security purpose without using session
variables, cookies and querystring.
Your help is kindly appreciated.
Regards
Eugene Anthony