session

Discussion in 'ASP General' started by Eugene Anthony, Jul 4, 2005.

  1. In my login.asp I have the following code:

    <!--#include file="database_Function.asp"-->

    <%
    Dim sSessionID, sMessage

    If Len(Request.Form("cmdSubmit")) > 0 then

    mySQL = "EXECUTE usp_CheckLogin @usid='" &
    Trim(Lcase(Request.Form("usid"))) & "',@password='" +
    Trim(Request.Form("password")) & "'"
    call updateDB(mySQL, rs)

    sSessionID = rs.Fields(0).Value
    rs.close()
    CloseDB()

    end if

    if Len(Trim(Lcase(Request.Form("usid")))) > 0 AND
    Len(Trim(Request.Form("password"))) > 0 then

    If sSessionID = -1 Then
    SMessage = "username or password invalid"
    else
    response.write "<input type='hidden' name='sSessionID' value="
    & sSessionID & ">"
    Response.Redirect ("home.asp?id=" & sSessionID)
    end if

    end if
    %>

    <html><head><title>login page</title></head>
    <body>
    <form method="post" action="login.asp">
    <table>
    <tr><td colspan="2"><h3>Login Page</h3></td></tr>
    <tr><td colspan="2"><% = sMessage%></td></tr>
    <tr>
    <td>user name<td>
    <td><input type="text" name="usid"
    value="<% = Request.Form("usID")%>"></td>
    </tr>
    <tr>
    <td>password<td>
    <td><input type="password" name="password"
    value="<% = Request.Form("password")%>"></td>
    </tr>
    <tr>
    <td> <td>
    <td><input type="submit" name="cmdSubmit" value="login"></td>
    </tr>
    </table>
    </form>
    </body>
    </html>


    In my home.asp I have the following code:

    <!--#include file="database_Function.asp"-->

    <%
    if Len(Request.QueryString("id")) = 0 then
    response.redirect "login.asp"
    end if

    Tem = Trim(Lcase(Request.QueryString("id")))
    Tem = replace(Tem,"{","")
    Tem = replace(Tem,"}","")

    mySQL = "EXECUTE usp_CheckSessionID @sessionID='" & Tem & "'"
    call updateDB(mySQL, rs)

    if rs.Fields(0).Value = -1 then
    response.redirect "login.asp"
    end if

    CloseDB()
    %>


    In my database_Function.asp I have the following code:

    <%

    dim objConn,rs

    sub openDB()

    set objConn = Server.CreateObject("ADODB.Connection")
    objConn.Open "PROVIDER=SQLOLEDB;DATA
    SOURCE=127.0.0.1;UID=mama;PWD=papa;DATABASE=Godson"

    end sub

    sub updateDB(SQL,rs)

    openDB()
    set rs = objConn.Execute(SQL)

    end sub

    sub getFromDB(SQL,rs,filename)

    openDb()

    set rs = Server.CreateObject("ADODB.Recordset")
    rs.lockType = adLockReadOnly
    rs.cursorType = adOpenStatic
    rs.Open SQL, objConn

    end sub

    sub closeDB()

    objConn.Close
    set objConn = nothing

    end sub

    %>


    These are tables and procedures created in ms sql:

    create table tbl_users
    (
    SessionID varchar(255) Primary Key,
    usID Varchar(20),
    Password Varchar(20),
    LastUpdate Smalldatetime
    );



    Create Procedure usp_CheckSessionID
    @sessionID Varchar(255)
    As SET NOCOUNT ON

    if EXISTS(SELECT top 1 * FROM tbl_users WHERE sessionID=@sessionID
    AND DATEDIFF(n,LastUpdate,GETDATE())<=20)

    begin
    update tbl_users set LastUpdate = GETDATE() WHERE
    sessionID=@sessionID
    Select 0
    end

    else
    Select -1

    Return
    GO



    create procedure usp_CheckLogin
    @usID Varchar(20),
    @password varchar(20)
    As SET NOCOUNT ON

    Declare @sessionID as UNIQUEIDENTIFIER
    Declare @session as Varchar(255)

    if exists(Select top 1 * from tbl_users where usID=@usID AND
    password=@password)

    Begin
    set @sessionID = NEWID()
    set @session = CONVERT(Varchar(255),@sessionID)
    Update tbl_users Set sessionID=@session,LastUpdate=GetDate() where
    usID = @usID and password = @password
    Select @sessionID
    End

    else
    Select -1

    Return
    GO


    Everything works fine. However there is a problem. The problem is:

    In my login.asp page requires me to enter the username and password. It
    works fine. When I enter a valid username and password it will redirect
    me to home.asp with a link as followed for example
    http://localhost/Eugene/home.asp?id={D8E3C5D2-DEFD-4F99-8F35-AC0CF848150
    5}.

    This works fine. However in terms of security this link
    http://localhost/Eugene/home.asp?id={D8E3C5D2-DEFD-4F99-8F35-AC0CF848150
    5} will work for as long as (SELECT top 1 * FROM tbl_users WHERE
    sessionID=@sessionID AND DATEDIFF(n,LastUpdate,GETDATE())<=20) even when
    I close my browser window, open it again and type
    http://localhost/Eugene/home.asp?id={D8E3C5D2-DEFD-4F99-8F35-AC0CF848150
    5}.

    Is there a way to keep id={D8E3C5D2-DEFD-4F99-8F35-AC0CF8481505} hidden
    across different pages for security purpose without using session
    variables, cookies and querystring.

    Your help is kindly appreciated.

    Regards

    Eugene Anthony

    *** Sent via Developersdex http://www.developersdex.com ***
     
    Eugene Anthony, Jul 4, 2005
    #1
    1. Advertising

  2. Why, do you think someone is going to be able to *GUESS* that GUID string?




    > Is there a way to keep id={D8E3C5D2-DEFD-4F99-8F35-AC0CF8481505} hidden
    > across different pages for security purpose
     
    Aaron Bertrand [SQL Server MVP], Jul 6, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andreas Klemt
    Replies:
    1
    Views:
    452
    Steve C. Orr, MCSD
    Jul 23, 2003
  2. shamanthakamani
    Replies:
    1
    Views:
    3,499
    Natty Gur
    Nov 20, 2003
  3. Jeff Smythe
    Replies:
    3
    Views:
    1,259
    Jeff Smythe
    Jan 2, 2004
  4. =?Utf-8?B?Um9iSEs=?=
    Replies:
    4
    Views:
    5,294
    =?Utf-8?B?Um9iSEs=?=
    Apr 11, 2007
  5. Jazzis
    Replies:
    2
    Views:
    253
    Jazzis
    Sep 23, 2003
Loading...

Share This Page