ForumsAU.com - Forums in Australia for all people & subjects
ForumsAU.com - Forums in Australia for all people & subjects
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Internet
 Classic ASP Programming
 A Basic ASP Login Script - MSacces Authentication
 New Topic  Reply to Topic
 Send Topic to a Friend
 Printer Friendly
Author  Topic Next Topic  

kevtherev
Forum Admin

Australia
352 Posts

Posted - 03 Jul 2009 :  10:12:57  Show Profile  Email Poster  Reply with Quote
Ever wanted to do you own login page with authentication against users in a database. Here's how using HTML forms, ASP and MS Access.

HTML tags as follows:

<form name="login" action="login.asp" method="post"> 
<p> 
Username: <input type="text" name="username"> 
<p> 
Password: <input type="password" name="password"> 
<p> 
<input type="submit" name="submit" value="Log In"> 
</form> 



ASP code for login.asp:


<% 
Dim dbUser 
 session( "User" ) = Request.Form( "Username" ) 
session( "Password" ) = Request.Form( "Password" ) 
  
 Set dbUser = Server.CreateObject( "ADODB.Recordset" ) 
dbUser.Open "SELECT * From User WHERE username = '" & session( "User" ) & "'", "DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=" & Server.MapPath( "dbyourdb.mdb" ) & "; PWD=yourpass" 
 If Err.Number Then 
    Response.Write "<SCRIPT>location.href = 'error.asp'</SCRIPT>" 
End If 
 If session( "User" ) <> dbUser.Fields( "Username" ) Then 
    If session( "Password" ) <> dbUser.Fields( "Password" ) Then 
        session( "Log" ) = False 
        Response.Write "<SCRIPT>location.href = 'error.asp'</SCRIPT>" 
    Else 
        Response.Write "<SCRIPT>location.href = 'error.asp'</SCRIPT>" 
    End If 
ElseIf session( "User" ) = dbUser.Fields( "Username" ) Then 
    If session( "Password" ) = dbUser.Fields( "Password" ) Then 
        session( "Log" ) = True 
        Response.Write "<SCRIPT>location.href = 'Default.asp'</SCRIPT>" 
    Else 
        session( "Log" ) = False 
        Response.Write "<SCRIPT>location.href = 'error.asp'</SCRIPT>" 
    End If 
End If 
dbUser.Close 
%> 



Use the line:


If session("Log") = True Then 
  Show your content 
Else 
  Tell them to log in 
End If 



To see if they are logged in or not.

You need an Access database with a table called User which has the fields Username and Password.

The script to create new users is as follows:

HTML form:


 <form name="form1" method="post" action="newuser.asp"> 
Username: 
            <input type="text" name="username"> 
Password: 
            <input type="password" name="password1" maxlength="16"> 
Retype Password: 
            <input type="password" name="password2" maxlength="16"> 
      <input type="submit" name="Submit" value="Submit"> 
</form>  



The newuser.asp file is as follows:

<% 
Dim username, password1, password2, used 
 username = Request.Form( "Username" ) 
password1 = Request.Form( "Password1" ) 
password2 = Request.Form( "Password2" ) 
 username = Replace( username, "'", "''" ) 
password1 = Replace( password1, "'", "''" ) 
password2 = Replace( password2, "'", "''" ) 
 used = False 
 If Username = "" Then 
    Response.Redirect( "error.asp" ) 
End If 
 If password1 = password2 Then 
    Set dbCheck = Server.CreateObject( "ADODB.Recordset" ) 
    dbCheck.Open "SELECT * FROM User", "DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=" & Server.MapPath( "dbyourdb.mdb" ) & "; PWD=yourpass" 
    While Not dbCheck.EOF 
        If username = dbCheck.Fields( "username" ) Then 
            used = True 
        End If 
    dbCheck.MoveNext 
    Wend 
Else 
    Response.Write "<SCRIPT>location.href = 'error.asp'</SCRIPT>" 
End If 
 dbCheck.Close 
 If used = False Then 
    Set dbCreate = Server.CreateObject( "ADODB.Connection" ) 
    dbCreate.Open "DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=" & Server.MapPath( "dbyourdb.mdb" ) & "; PWD=yourpass" 
    dbCreate.Execute( "INSERT INTO User ( username, password ) VALUES ( '" & username &"', '" & password1 & "' )" ) 
    Response.Write "<SCRIPT>location.href = '/'</SCRIPT>" 
Else 
    Response.Write "<SCRIPT>location.href = 'error.asp'</SCRIPT>" 
End If 
 dbCreate.Close 
%> 



This article was originally written by psike

Thanks from Kev - Forum and Site Admin - Want to know what I am up to these days? See the latest website I am working on - http://www.VintageAntiqueRetro.com - A free Classifieds site for Vintage Antique Retro Collectables :)

davo
Commander

110 Posts

Posted - 28 Jul 2009 :  17:55:55  Show Profile  Email Poster  Reply with Quote
I am interested in this, what protection does the above supply for example, if I enter in the username field for the login form:

bobby'; DROP TABLE User;'

as the username? there doesn't appear to be any protection against this as in newuser.asp?

Sorry if there is something I am missing here, I am not familiar with ASP.

Godless Heathen
Go to Top of Page

davo
Commander

110 Posts

Posted - 31 Jul 2009 :  18:58:37  Show Profile  Email Poster  Reply with Quote
Actually I talked to my brother, who is a windows programmer, and I am right.

Before following the above script, make sure you sanitize the input on the login SQL call .. otherwise you basically allow anyone access to your whole database.
Go to Top of Page

kevtherev
Forum Admin

Australia
352 Posts

Posted - 08 Aug 2009 :  21:52:24  Show Profile  Email Poster  Reply with Quote
The above script - is a bare bones basic script to get first timers
and noob's started - true you should always sanitise, and the use of
SSL, MD5 challenge encryption or similar on the passwords and I
also use windows authentication as well - which pretty much makes
it bullet proof - however you do need to login twice.

Windows Authentication by itself is a nightmare - but couple it with
a web page login - the both hold everything secure.

I would be curious on how you could break it - or sql inject into
the shown example, as yet I have not seen any breach, whether so far
that is just luck, divine intervention, lack of awareness or
whatever, I would like to see how to break it - so as I can then
find a way to fix it further.

The reason I posted this was that I got a request from an old
employee trying to make a quick secured section on his web page,
hopefully he goes further than just cut and paste.

Good input - I love people who think about things, with real security
on their mind.

Thanks from Kev - Forum and Site Admin - Want to know what I am up to these days? See the latest website I am working on - http://www.VintageAntiqueRetro.com - A free Classifieds site for Vintage Antique Retro Collectables :)
Go to Top of Page

davo
Commander

110 Posts

Posted - 10 Aug 2009 :  10:52:02  Show Profile  Email Poster  Reply with Quote
If you look at newuser.asp you will see it sanitizes the input like so :

username = Replace( username, "'", "''" )
password1 = Replace( password1, "'", "''" )
password2 = Replace( password2, "'", "''" )

However the login take the username, and adds it directly to a SQL statement.

SELECT * From User WHERE username = '" & session( "User" ) & "'

This means, in the login box for username if you add as I said :

bobby'; DROP TABLE User;'

it will take that and create the SQL call :

SELECT * From User WHERE username = 'bobby'; DROP TABLE User;''

and pass that directly to the database, in effect, passing 2 SQL statements .. the second, dropping (deleting) your user table in the database ..

something like that, I haven't got windows so can't test.

as per newuser, stripping out ' and " from the input helps protect against that.

classic SQl injection really ...

Edited by - davo on 10 Aug 2009 10:53:25
Go to Top of Page
   Topic Next Topic  
 New Topic  Reply to Topic
 Send Topic to a Friend
 Printer Friendly
Jump To:
ForumsAU.com - Forums in Australia for all people & subjects © 2005 to 2013 forumsau.com Go To Top Of Page
This page was generated in 0.03 seconds.                        You must Register and Confirm your email, and then log in first before posting! Snitz Forums 2000