Redirect not working first time in classic ASP

[Andrew Poulos]

I have a simple page with a form in it that gets posted to the following ASP

<%@ language="javascript" %>

<%
var login_success_page = "../intro.asp";
var login_failed_page = "../failed.asp";

// some db related code here

if (bError) {
Session("auth") = 0;
Response.Redirect(login_failed_page);
} else {
Session("auth") = 1;
Response.Redirect(login_success_page);
}


If I, in the form, I enter the appropriate information I get to the
intro page though if I don't enter the appropriate information I don't
get to the fail page. But if I click back to the form page from the
intro page and enter inappropriate information I do get the fail page.

I don't understand why it's not working the first time. If I hard code
the full path to failed .asp or use Server.MapPath("../") +
"failed.asp"; I get an error that reads "Object Moved The object may be
found here."

Andrew Poulos

 

[Mark J. McGinty]

I have a simple page with a form in it that gets posted to the following
ASP

<%@ language="javascript" %>

<%
var login_success_page = "../intro.asp";
var login_failed_page = "../failed.asp";

// some db related code here

if (bError) {
Session("auth") = 0;
Response.Redirect(login_failed_page);
} else {
Session("auth") = 1;
Response.Redirect(login_success_page);
}


If I, in the form, I enter the appropriate information I get to the intro
page though if I don't enter the appropriate information I don't get to
the fail page. But if I click back to the form page from the intro page
and enter inappropriate information I do get the fail page.

I don't understand why it's not working the first time. If I hard code the
full path to failed .asp or use Server.MapPath("../") + "failed.asp"; I
get an error that reads "Object Moved The object may be found here."

Consider that a redirect is implemented as a response to one request that
contains an instruction to "request it from [here] instead." In absence of
cache-control headers the browser is free to cache the initial response.
This is why an ASP script that posts to itself and conditionally redirects
is not a great design for a login mechanism: anything that caches a redirect
effectively bypasses ASP processing.

It's possible to append a date serial value for a dummy parameter to the URL
passed to Response.Redirect, as a "cache killer" for authentication purposes
it's a weak design. Instead, write a function that checks whether the user
has authenticated *and* generates your login page if not, in the context of
the original request. If the original request's method was "POST", the
function should copy any form values that were posted to it, to hidden
inputs in the login form, so that user input is not lost by authentication.
Then store the function in a file, server-side include that file in every
protected ASP page, and call the function before writing any other content
to the response.


-Mark