session

E

Eugene Anthony

In my login.asp I have the following code:

<!--#include file="database_Function.asp"-->

<%
Dim sSessionID, sMessage

If Len(Request.Form("cmdSubmit")) > 0 then

mySQL = "EXECUTE usp_CheckLogin @usid='" &
Trim(Lcase(Request.Form("usid"))) & "',@password='" +
Trim(Request.Form("password")) & "'"
call updateDB(mySQL, rs)

sSessionID = rs.Fields(0).Value
rs.close()
CloseDB()

end if

if Len(Trim(Lcase(Request.Form("usid")))) > 0 AND
Len(Trim(Request.Form("password"))) > 0 then

If sSessionID = -1 Then
SMessage = "username or password invalid"
else
response.write "<input type='hidden' name='sSessionID' value="
& sSessionID & ">"
Response.Redirect ("home.asp?id=" & sSessionID)
end if

end if
%>

<html><head><title>login page</title></head>
<body>
<form method="post" action="login.asp">
<table>
<tr><td colspan="2"><h3>Login Page</h3></td></tr>
<tr><td colspan="2"><% = sMessage%></td></tr>
<tr>
<td>user name<td>
<td><input type="text" name="usid"
value="<% = Request.Form("usID")%>"></td>
</tr>
<tr>
<td>password<td>
<td><input type="password" name="password"
value="<% = Request.Form("password")%>"></td>
</tr>
<tr>
<td> <td>
<td><input type="submit" name="cmdSubmit" value="login"></td>
</tr>
</table>
</form>
</body>
</html>


In my home.asp I have the following code:

<!--#include file="database_Function.asp"-->

<%
if Len(Request.QueryString("id")) = 0 then
response.redirect "login.asp"
end if

Tem = Trim(Lcase(Request.QueryString("id")))
Tem = replace(Tem,"{","")
Tem = replace(Tem,"}","")

mySQL = "EXECUTE usp_CheckSessionID @sessionID='" & Tem & "'"
call updateDB(mySQL, rs)

if rs.Fields(0).Value = -1 then
response.redirect "login.asp"
end if

CloseDB()
%>


In my database_Function.asp I have the following code:

<%

dim objConn,rs

sub openDB()

set objConn = Server.CreateObject("ADODB.Connection")
objConn.Open "PROVIDER=SQLOLEDB;DATA
SOURCE=127.0.0.1;UID=mama;PWD=papa;DATABASE=Godson"

end sub

sub updateDB(SQL,rs)

openDB()
set rs = objConn.Execute(SQL)

end sub

sub getFromDB(SQL,rs,filename)

openDb()

set rs = Server.CreateObject("ADODB.Recordset")
rs.lockType = adLockReadOnly
rs.cursorType = adOpenStatic
rs.Open SQL, objConn

end sub

sub closeDB()

objConn.Close
set objConn = nothing

end sub

%>


These are tables and procedures created in ms sql:

create table tbl_users
(
SessionID varchar(255) Primary Key,
usID Varchar(20),
Password Varchar(20),
LastUpdate Smalldatetime
);



Create Procedure usp_CheckSessionID
@sessionID Varchar(255)
As SET NOCOUNT ON

if EXISTS(SELECT top 1 * FROM tbl_users WHERE sessionID=@sessionID
AND DATEDIFF(n,LastUpdate,GETDATE())<=20)

begin
update tbl_users set LastUpdate = GETDATE() WHERE
sessionID=@sessionID
Select 0
end

else
Select -1

Return
GO



create procedure usp_CheckLogin
@usID Varchar(20),
@password varchar(20)
As SET NOCOUNT ON

Declare @sessionID as UNIQUEIDENTIFIER
Declare @session as Varchar(255)

if exists(Select top 1 * from tbl_users where usID=@usID AND
password=@password)

Begin
set @sessionID = NEWID()
set @session = CONVERT(Varchar(255),@sessionID)
Update tbl_users Set sessionID=@session,LastUpdate=GetDate() where
usID = @usID and password = @password
Select @sessionID
End

else
Select -1

Return
GO


Everything works fine. However there is a problem. The problem is:

In my login.asp page requires me to enter the username and password. It
works fine. When I enter a valid username and password it will redirect
me to home.asp with a link as followed for example
http://localhost/Eugene/home.asp?id={D8E3C5D2-DEFD-4F99-8F35-AC0CF848150
5}.

This works fine. However in terms of security this link
http://localhost/Eugene/home.asp?id={D8E3C5D2-DEFD-4F99-8F35-AC0CF848150
5} will work for as long as (SELECT top 1 * FROM tbl_users WHERE
sessionID=@sessionID AND DATEDIFF(n,LastUpdate,GETDATE())<=20) even when
I close my browser window, open it again and type
http://localhost/Eugene/home.asp?id={D8E3C5D2-DEFD-4F99-8F35-AC0CF848150
5}.

Is there a way to keep id={D8E3C5D2-DEFD-4F99-8F35-AC0CF8481505} hidden
across different pages for security purpose without using session
variables, cookies and querystring.

Your help is kindly appreciated.

Regards

Eugene Anthony
 
A

Aaron Bertrand [SQL Server MVP]

Why, do you think someone is going to be able to *GUESS* that GUID string?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

asp and ms sql 10
asp and ms sql 9
Arrays 0
Paging 0
-2147217900:Syntax error in INSERT INTO statement. 1
error if db search finds nothing 25
Dynamically add posted form items into array 1
Object required error 0

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top