Forums
This topic is locked
Login & Cookies..
Posted 24 Jul 2002 15:54:24
1
has voted
24 Jul 2002 15:54:24 Tony Chronopoulos posted:
Hello people!In my login.asp page, I have the login form (txtUsername, txtPassword, chk_remember) which when submitted, it goes to login1.asp. Login1.asp checks to see if the user exists and if it does, is this next step correct? :
<pre id=code><font face=courier size=2 id=code>
<%
if Request.Form("chk_remember"
= "1" ThenResponse.Cookies("username"
= rsLogin.Fields.Item("user_username".ValueResponse.Cookies("username"
.Expires + Date + 365Response.Cookies("password"
= rsLogin.Fields.Item("user_password".ValueResponse.Cookies("password"
.Expires + Date + 365End if
%>
</font id=code></pre id=code>
I guess there are a few different ways to do the auto-login (when a user has cookies) - what would be the best method & the safest?
Thanks!
___________________
Lunch is on me! <img src=../images/dmxzone/forum/icon_smile_big.gif border=0 align=middle>
Replies
Replied 25 Jul 2002 07:57:20
25 Jul 2002 07:57:20 aegis kleais replied:
I personally like using DateAdd() when adding time to a date. Also, I don't really see how your system is working. Basically it says "If REMEMBER me was checked, then set a cookie called Username and set it to a recordset's user_username field.
What query are you using to build that recordset?
Aegis Kleais
New Media Web Developer
(DWMX : IIS5.1 : SQL2K : WXP : ASP[VB/JS])
What query are you using to build that recordset?
Aegis Kleais
New Media Web Developer
(DWMX : IIS5.1 : SQL2K : WXP : ASP[VB/JS])
Replied 25 Jul 2002 15:47:05
25 Jul 2002 15:47:05 Tony Chronopoulos replied:
My site basically works like udzone, you can still browse the site if you don't log in, but you must login to post and do other stuff, etc..
Now, I'm a beginner in ASP but I managed to get this to work. But I don't know how stable/secure it is. It's better than my first attempt of just storing the user_id in a cookie because I was able to edit the cookie to another number and gain full access to their account. hehe.
(login1.asp)
<pre id=code><font face=courier size=2 id=code>
<%
Dim rsLogin__strUsername
rsLogin__strUsername = "xyz"
if (Request.Form("txtEmail" <> "" then rsLogin__strUsername = Request.Form("txtEmail"
%>
<%
Dim rsLogin__strPassword
rsLogin__strPassword = "123"
if (Request.Form("txtPassword" <> "" then rsLogin__strPassword = Request.Form("txtPassword"
%>
<%
set rsLogin = Server.CreateObject("ADODB.Recordset"
rsLogin.ActiveConnection = MM_partenaire_STRING
rsLogin.Source = "SELECT user_email, user_password, user_id FROM tbl_users WHERE user_email = '" + Replace(rsLogin__strUsername, "'", "''" + "' AND user_password = '" + Replace(rsLogin__strPassword, "'", "''" + "'"
rsLogin.CursorType = 0
rsLogin.CursorLocation = 2
rsLogin.LockType = 3
rsLogin.Open()
rsLogin_numRows = 0
%>
<%
if rsLogin__strUsername <> "xyz" AND NOT rsLogin.EOF then
if Request.Form("rememberEmail" = "1" Then
Response.Cookies("userEmail" = rsLogin.Fields.Item("user_email".Value
Response.Cookies("userEmail".Expires = Date + 365
else
Response.Cookies("userEmail" = ""
end if
if Request.Form("rememberPW" = "1" Then
Response.Cookies("userPassword" = rsLogin.Fields.Item("user_password".Value
Response.Cookies("userPassword".Expires = Date + 365
end if
session("svUserID" = rsLogin.Fields.Item("user_id".Value
Response.Cookies("ckLoggedin" = "Loggedin"
Response.Redirect "default.asp"
Else
Response.Redirect "login.asp?status=Denied"
End if
%>
</font id=code></pre id=code>
(default.asp)
<pre id=code><font face=courier size=2 id=code>
<%
Dim varUserEmail
varUserEmail = "xyz"
if (Request.Cookies("userEmail" <> "" then varUserEmail = Request.Cookies("userEmail"
%>
<%
Dim varUserPassword
varUserPassword = "123"
if (Request.Cookies("userPassword" <> "" then varUserPassword = Request.Cookies("userPassword"
%>
<%
set conn = Server.CreateObject("ADODB.connection"
conn.Open MM_partenaire_STRING
SQL = "SELECT user_email, user_password, user_id FROM tbl_users WHERE user_email = '" + Replace(varUserEmail, "'", "''" + "' AND user_password = '" + Replace(varUserPassword, "'", "''" + "'"
Set rsCheckUser = conn.Execute(SQL)
if Not rsCheckUser.EOF Then
Session("svUserID" = rsCheckUser.Fields.Item("user_id"
Response.Cookies("ckLoggedin" = "Loggedin"
end if
%>
</font id=code></pre id=code>
___________________
Lunch is on me! <img src=../images/dmxzone/forum/icon_smile_big.gif border=0 align=middle>
Edited by - bloodtrain on 25 Jul 2002 15:51:44
Now, I'm a beginner in ASP but I managed to get this to work. But I don't know how stable/secure it is. It's better than my first attempt of just storing the user_id in a cookie because I was able to edit the cookie to another number and gain full access to their account. hehe.
(login1.asp)
<pre id=code><font face=courier size=2 id=code>
<%
Dim rsLogin__strUsername
rsLogin__strUsername = "xyz"
if (Request.Form("txtEmail"
<> "" then rsLogin__strUsername = Request.Form("txtEmail" %>
<%
Dim rsLogin__strPassword
rsLogin__strPassword = "123"
if (Request.Form("txtPassword"
<> "" then rsLogin__strPassword = Request.Form("txtPassword"%>
<%
set rsLogin = Server.CreateObject("ADODB.Recordset"
rsLogin.ActiveConnection = MM_partenaire_STRING
rsLogin.Source = "SELECT user_email, user_password, user_id FROM tbl_users WHERE user_email = '" + Replace(rsLogin__strUsername, "'", "''"
+ "' AND user_password = '" + Replace(rsLogin__strPassword, "'", "''" + "'"rsLogin.CursorType = 0
rsLogin.CursorLocation = 2
rsLogin.LockType = 3
rsLogin.Open()
rsLogin_numRows = 0
%>
<%
if rsLogin__strUsername <> "xyz" AND NOT rsLogin.EOF then
if Request.Form("rememberEmail"
= "1" Then Response.Cookies("userEmail"
= rsLogin.Fields.Item("user_email".ValueResponse.Cookies("userEmail"
.Expires = Date + 365else
Response.Cookies("userEmail"
= ""end if
if Request.Form("rememberPW"
= "1" Then Response.Cookies("userPassword"
= rsLogin.Fields.Item("user_password".ValueResponse.Cookies("userPassword"
.Expires = Date + 365end if
session("svUserID"
= rsLogin.Fields.Item("user_id".ValueResponse.Cookies("ckLoggedin"
= "Loggedin"Response.Redirect "default.asp"
Else
Response.Redirect "login.asp?status=Denied"
End if
%>
</font id=code></pre id=code>
(default.asp)
<pre id=code><font face=courier size=2 id=code>
<%
Dim varUserEmail
varUserEmail = "xyz"
if (Request.Cookies("userEmail"
<> "" then varUserEmail = Request.Cookies("userEmail"%>
<%
Dim varUserPassword
varUserPassword = "123"
if (Request.Cookies("userPassword"
<> "" then varUserPassword = Request.Cookies("userPassword"%>
<%
set conn = Server.CreateObject("ADODB.connection"
conn.Open MM_partenaire_STRING
SQL = "SELECT user_email, user_password, user_id FROM tbl_users WHERE user_email = '" + Replace(varUserEmail, "'", "''"
+ "' AND user_password = '" + Replace(varUserPassword, "'", "''" + "'"Set rsCheckUser = conn.Execute(SQL)
if Not rsCheckUser.EOF Then
Session("svUserID"
= rsCheckUser.Fields.Item("user_id"Response.Cookies("ckLoggedin"
= "Loggedin"end if
%>
</font id=code></pre id=code>
___________________
Lunch is on me! <img src=../images/dmxzone/forum/icon_smile_big.gif border=0 align=middle>
Edited by - bloodtrain on 25 Jul 2002 15:51:44
Replied 25 Jul 2002 16:12:31
25 Jul 2002 16:12:31 Tony Chronopoulos replied:
If you like, you can take a look at it online.
The site is still under development.
you can use this to log in:
www.lepartenaire.com
email:
password: test
Tell me what you think! <img src=../images/dmxzone/forum/icon_smile.gif border=0 align=middle>
Tony
Edited by - bloodtrain on 26 Jul 2002 00:01:48
The site is still under development.
you can use this to log in:
www.lepartenaire.com
email:
password: test
Tell me what you think! <img src=../images/dmxzone/forum/icon_smile.gif border=0 align=middle>
Tony
Edited by - bloodtrain on 26 Jul 2002 00:01:48