jason kennedy wrote on 30 aug 2003 in
microsoft.public.inetserver.asp.general:
On 30 Aug 2003 12:56:19 GMT, "Evertjan."
Brian Burgess wrote on 30 aug 2003 in
microsoft.public.inetserver.asp.general:
It IS in the same session! .. the user is linking .. in fact this
all WAS working .. until I changed the code to only set the value
of a Session collection item IF that item did not already have a
value.
I think we would need to see that piece of code.
Well I tried two ways...
1st:
If (Session("login") = Empty) Then
Session("login") = Request.Form("login")
End If
2nd:
If (Session("login") = "") Then
Session("login") = Request.Form("login")
End If
I should also mention that the user could be transfered to this page
from some other pages .. in this case we would not have the
'Request.Form("login")' available to us. HOWEVER, in this case we
should have already been through the login process, and therefore the
Session collection item(login) should already be set.
looks like a logical flaw
on your login page, it would be better to use this
If Request.Form("login") <> "" then
Session("login") = true
End if
if the user comes from another page having already logged in, to check
if session("login") <> true then
else
end if
[first I would like to stress, please do not underquote
<
http://www.xs4all.nl/~wijnands/nnq/nquote.html>]
Brian is right, but do not accept the login confirmation from clientside,
that can be attacked.
"If true = true then" is superfluous, so this is enough:
<%
If Session("loggedin") Then
Response.redirect "mainpage.asp"
End If
If Lcase(Request.Form("loginname")) = "john" AND _
Request.Form("loginpassword") = "QWERty" then
Session("loggedin") = true
Response.redirect "mainpage.asp"
End If
Response.redirect "loginpage.asp"
%>
==========================
And on mainpage.asp and all other pages:
<%
If NOT Session("loggedin") Then
Response.redirect "loginpage.asp"
End If
%>
If you have far more than one name/password combination,
a database becomes usefull.