IE6 problems

[Graham Campbell]

I have a login script to a website where a user logs in through a
standard webform with a username and password that needs to be
validated. My problem is that IE6 doesn't seem to pick up on valid
username/password combinations and instead of forwarding the user to the
next page dumps them back at the login page.

My verification script is below:

<%
Response.CacheControl = "no-cache"
Response.AddHeader "Pragma", "no-cache"
Response.Expires = -1

user = trim(Request.form("username"))
password = trim(Request.form("password"))

if user = "" or password = "" then
Response.Write "please enter username and password"
else
ConnString = "Provider=Microsoft.Jet.OLEDB.4.0; Mode=ReadWrite;
Persist Security Info=True; Data Source=" &

Server.MapPath("member.mdb")

set my_conn= Server.CreateObject("ADODB.Connection")
set rs = server.CreateObject("ADODB.RecordSet")
my_conn.Open ConnString

rs.open "Select * from member where Name ='" & user & "' and
Password='" & password & "'", my_conn
if rs.eof then
Response.Write("Invalid Username/Password")'redirect invalid_page
'invalid password and redirect to login page
else
session("login") = "yes"
session("name") = rs("name")
'session("...") = rs("...")
' add session ..if you want to keep profile of your user.

Response.redirect valid_login

end if

rs.Close
my_conn.close
set my_conn = nothing
end if
%>

This all works fine in other browsers such as Firebird and Opera, even
earlier versions of IE work fine but I can't figure out whats wrong. I
would be most greatful for any assistance.

I'm rather new to ASP, so if my problem is glaringly obvious please
don't beat down on me too hard

Regards
Graham

 

[Curt_C [MVP]]

where is "valid_login" defined?

 

[Karim Dahdah]

Ouch,
I had found this one too some time ago. And the strange is that on my IE6
everything works fine,
but at a visitor's IE6 (with the same build) he couldn't log in.

Sessions are cookies. So, see in your cookies folder if they are made by the
browser. If it does, then
I don't know (sorry). If they aren't made, then have a look at the security
settings of IE6.
Another thing you can read about is P3P.

Good luck!

Karim

 

[Graham Campbell]

it's defined in an include file that i negelected to show in my original
post

i'm fairly certain that's not what's causing the problem here but any
suggestions would be most welcome

Graham

 

[TomB]

Are you using your Session to determine if someone is logged in or not?


Also, try putting your Select statement into a variable, and displaying
it.....

Dim sSQL
sSQL="Select * From Memeber Where Name='" & user & "'" AND Password='" &
password & "'"

Response.write sSQL
Response.flush


What would happen if a user put in

' or 'x' = 'x

for the username and the password?

You'd have a statement like.....
rs.open "Select * from member where Name='' or 'x'='x' and Password='' or
'x'='x'", my_conn

 

[TomB]

I assume you mean the 'x thing.
There's a good website about that (SQL Injection attack) but I can't
remember where it was right now.

Anyway, did you get your script working?

 

[Graham Campbell]

wow thanks. never even considered that!



Graham

 

[Graham Campbell]

Karim, you da man. Didn't even think to check the security settings.
Should have known better!

Thanks man!

Graham

 

[TomB]

Here it is......
www.sqlsecurity.com/DesktopDefault.aspx?tabindex=2&tabid=3

 

[Graham Campbell]

I assume you mean the 'x thing.
There's a good website about that (SQL Injection attack) but I can't
remember where it was right now.

Anyway, did you get your script working?

Yeah, I got that part working at least lol. Thanks for the great help.

I'm working on a few pieces here and there for this same organisation.
Next on the list is working out how to parse thru a HTML template file
so that I know where to put some user input text! :S

I'm aware of the power that Perl's regex can provide here but not sure I
want to go down the route. Any suggestions?

Graham