I am looking for a very simple solution to password protect an ASP.Net page.
I found exactly what I am looking for here but it is in ASP and I do not know the syntax to convert it to ASP.Net.
It simply creates a temporary cookie that will expire as soon as they close their browser window.
I am not looking to store the username / password in a db. I will manually change the password occasionally.
Simply helping me convert the following code to ASP.Net would be wonderful!
This goes on the logon.aspx page and pulls values from a form.
Username="Administrator"
Password="Admin"
Validated = "OK"
if Strcomp(Request.Form("User"),Username,1)=0 AND Request.Form("password") = Password then
Response.Cookies("ValidUser") = Validated
If (Request.QueryString("from")<>"") then
Response.Redirect Request.QueryString("from")
else
Response.Redirect "MyPage.aspx"
End if
Else
If Request.Form("User") <> "" then
Response.Write "<h3>Authorization Failed.</h3>" & "<br>" & _ "Please try again.<br> <br>"
End if
End if
This goes on the password protected page to confirm the cookie was created.
Validated = "OK"
if Request.Cookies("ValidUser") <> Validated then
dim s
s = "http://"
s = s & Request.ServerVariables("HTTP_HOST")
s = s & Request.ServerVariables("URL")
if Request.QueryString.Count > 0 THEN
s = s & "?" & Request.QueryString
end if
Response.Redirect "Logon.aspx"
End if
Just use the built-in forms authentication and setup your credentials store in the web.config.
Here's a quick and dirty example
Another example
Related
Classic asp.
Sometimes the session has timed out while the user has filled out a large form.
Currently the user just gets "you are not logged in", and the login-form.
When the user logs in again, (s)he have to start over, and navigate to the previous form to fill it out again.
I'd like to just submit the formdata again, if the user logs in successfully.
There a many forms/pages in the system, so the login-check is in a common include-file.
Hi Leif Session time is for Server to control the data keeping time , maybe you can use cookie for your issue because it is controlled by Client(Browser). hopefully my idea can help you ,thanks willie
Classic ASP, our "One Way" posting code.
I set a cookie and save the cookie to the members table.
The cookie doesn't need to be anything fancy, date, name, IP, session works just fine. Encode them SHA256 with a Salt.
The idea is to use this special cookie if on a forms page and their user session has been lost or timed out.
Basic setup: (Not complete code just enough to get the idea and flow)
Login page.
Create SHA256 Hash
Save as Cookie
SetKeysCookie "CookieName","LostSession",strSHA256Hash,mysite.ext,"1"
Sub SetKeysCookie(strCookieName,strCookieKey,strCookieValue,strCookieDomain,strCookieExpires)
Response.Cookies(strCookieName).Expires = DateAdd("d",strCookieExpires, Now())
Response.Cookies(strCookieName).Domain = strCookieDomain
Response.Cookies(strCookieName).Path = "/"
Response.Cookies(strCookieName)(strCookieKey) = strCookieValue
Response.Cookies(strCookieName).Secure = True
End Sub
Optional: I use the HTTP_Cookie which would be as follows.
Sub SetKeysCookieHttpOnly(strCookieName,strCookieKey,strCookieValue,strCookieDomain,strCookieExpires)
strGMTDateRFC22 = CookieServerUTC("d","&strCookieExpires&",5,"GMT") ' 1 Day set in char enc dec page
Response.AddHeader "Set-Cookie", strCookieName & "=" & strCookieKey & "=" & strCookieValue & "; expires=" & strGMTDateRFC22 & "; domain="& strCookieDomain &"; path=/;"
End Sub
Update members database:
UPDATE Member SET LostSession='"&strSHA256Hash&"' WHERE ID = "&id&"" .....
On forms page:
Check Session on Post... If Session = NULL then
Check if Cookie is set.
Get the cookie
Old method: Request.Cookies("CookieName")("LostSession")
New HTTP_Cookie
strCookieX = Request.ServerVariables("HTTP_COOKIE")
If InStr(strCookieX,"LostSession=") Then
j = InStrRev(strCookieX, "LostSession=")
if j > 0 Then
strCookieTEMP = Mid(strCookieX, j+12)
end if
j = 64
if j > 0 Then
strCookieTEMP = Left(strCookieTEMP, j-0)
End If
strCookie = strCookieTEMP
End If
The above will pull all your HTTP cookies and then search for your LostSession cookie.
Because we know the fixed length we can pull it cleanly.
Next on the form we check to see which member this cookie is assigned to.
strSQL = "SELECT TOP 1 "
strSQL = strSQL & " ID,Email,ClientID,LostSession"
strSQL = strSQL & " FROM Members "
strSQL = strSQL & " WHERE LostSession = '"&strCookie&"' "
Set rs = Server.CreateObject("ADODB.Recordset")
rs.Open strSQL,Conn,3,3
If rs.EOF=False Then
Session("id") = rs("ID")
End If
rs.Close
Set rs = Nothing
When found, we set the minimum Session Variables to allow this post to complete.
Session("id") or Session("authorized") whatever you need to complete the post.
At the end of the post, as we successfully submitted the form we now can send the session failed user to the login page.
Session.Abandon
sRedirectPage = "https://domain.ext/logout.asp"
Response.Status="403.6 IP Restricted"
Response.AddHeader "Location",sRedirectPage
Response.end
You should be able to see the different parts of the http cookie method of saving a session that has timed out.
If you need anything just ask.
Murray
My solution is, in the header file included on all pages, if the user is logged out, create a form with all post and get values hidden, and the username/password field visible.
User then re-enters the username and password, and submits the form.
If the user is then succesfully logged in, the script continues and processes the data.
It will not work for uploads, but this is rarely used anyway.
On my site I display a logged in username on the master page (in a label) this is done as below, by pulling the username from the session object and putting it into the label on the master page, page_init page event. My problem is that I am bypassing the session now because of timeout issues i wont bore you all with but now I need to change the code to pop the username into the master page label once, then not try and access the session again as it clears after around 10 minutes due to the IIS pool. I realise i could open a new connection to the database each time the master page loaded to retrieve the user name but I thought there might be an easier way than that. any help would be really appreciated.
Protected Sub Page_Init(sender As Object, e As System.EventArgs) Handles Me.Init
txtUserInfo.Text = (Session("name") & " [ " & Session("org") & " ]")
End Sub
For the user name alone Humpy's reply would suffice (assuming the thread principal/identity is populated correctly). If you need more bits of information you could use cookies:
After login, set the cookie with a reasonable expiration:
Response.Cookies["userInfo"]["name"] = "currentUsername";
Response.Cookies["userInfo"]["org"] = "currentOrg";
Response.Cookies["userInfo"].Expires = DateTime.Now.AddDays(1);
On subsequent requests you can pull the data out of the cookie:
if(Request.Cookies["userInfo"] != null)
{
HttpCookie c = Request.Cookies["userInfo"];
txtUserInfo.Text = Server.HtmlEncode(c["name"]) & " [" & Server.HtmlEncode(c["org"]) & "]";
}
See here for more details: http://msdn.microsoft.com/en-us/library/ms178194.ASPX
You should be able to use..
txtUserInfo.Text = User.Identity.Name;
This is how I use mine. Once the user logs in, displays the user's names perfectly. Hope this helps!
I am currently in the process of updating many test sites on an old server so that they won't break when the old server gets discontinued in the next couple months. The contact form for one site in particular is already broken. When a user clicks on submit after filling in their information, they are presented with this error:
Server object error 'ASP 0177 : 800401f3'
Server.CreateObject Failed
/contactsubmit.asp, line 79
800401f3
Set Mailer = Server.CreateObject("SMTPsvg.Mailer")
Mailer.FromName = "Web Visitor"
If request("email") <> "" then
Mailer.replyto = request("email")
Else
Mailer.replyto = "noEmailEntered#domain.com"
End If
Mailer.FromAddress = "my#email.com"
Mailer.RemoteHost = "hostserver"
If TempTest = TRUE then
Else
Mailer.AddRecipient siteOwner, ContactEmail
If ContactCC <> "" then
Mailer.AddCC siteOwner, ContactCC
End If
End If
If DesignerEmail <> "" then
Mailer.AddBCC DesignerEmail, DesignerEmail
End If
Mailer.Subject = siteOwner & " Contact Form"
Mailer.ContentType = "text/html"
Mailer.BodyText = strBody
If Mailer.SendMail then
response.redirect "contact.asp?sent=yes"
Else
response.redirect "contact.asp?sent=no"
End If
I was told that SMTP isn't the way that emails need to get sent anymore so I tried changing it all to CDOSYS. But the funny thing is, there are a lot more sites on this server that I have tested using the same SMTP code that work.
Changes using CDOSYS:
Set Mailer = Server.CreateObject("CDO.Message")
Mailer.From = "Web Visitor <my#email.com>"
If request("email") <> "" then
Mailer.ReplyTo = request("email")
Else
Mailer.ReplyTo = "noEmailEntered#domain.com"
End If
Mailer.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "hostserver"
If TempTest = TRUE then
Else
Mailer.AddRecipient siteOwner, ContactEmail
If ContactCC <> "" then
Mailer.Cc siteOwner, ContactCC
End If
End If
If DesignerEmail <> "" then
Mailer.Bcc DesignerEmail, DesignerEmail
End If
Mailer.Subject = siteOwner & " Contact Form"
Mailer.HTMLBody = strBody
If Mailer.Send then
response.redirect "contact.asp?sent=yes"
Else
response.redirect "contact.asp?sent=no"
End If
But now I get this error:
Microsoft VBScript runtime error '800a01b6'
Object doesn't support this property or method: 'Mailer.AddRecipient'
/contactsubmit.asp, line 89
I have tried changing it to Mailer.Add and to Mailer.AddAddress with no luck. Does anyone know how I can get around this error and hopefully get this to work? I've never worked with mail servers before so I apologize if this is an easy fix, but I've searched for the past 3 hours and can't come up with a good alternative to .AddRecipient.
The CDO.Message object simply has the string properties of To, Cc and Bcc to which you assign a standard semi-colon delimited list of smtp email addresses for example:
"Joe Bloggs" <joeB#somecompany.com>; "Fred Smith" <fSmith#smiths.co.uk>
Try to execute the below simplest way of sending mail using CDO and then take the relevant fields from it and apply to your script:
Set myMail=CreateObject("CDO.Message")
myMail.Subject="Sending email with CDO"
myMail.From="mymail#mydomain.com"
myMail.To="someone#somedomain.com"
myMail.TextBody="This is a message."
myMail.Send
set myMail=nothing
As you can see the way to add recipient is like this:
myMail.To="someone#somedomain.com"
You can see more examples here
Hope this helps.
I have added Two Factor Authentication to my Mobile ASP.Net Web App. When the user successfully enters their User Name and Password then a pin number is emailed to their email address which is stored in the database. The issue I am having is that after notifying the user that they don't have an email defined and then reload the login page but my code isn't notifying the user rather it is just reloading the Login.aspx page:
Private Sub GeneratePin()
Dim r As New Random(System.DateTime.Now.Millisecond)
_Pin = CStr(r.Next(1000, 99999))
_email = CIAppGlobals.CurrentUser.UsrContactEmail
With lblPin
.Text = "PIN has been emailed to the you please check your email now."
End With
If Not String.IsNullOrEmpty(_email) Then
Dim Message As String = " Your Mobile PIN number is " & _Pin & vbNewLine & "From IP Address: " & CIAppGlobals.AppSettings.ClientIP
Tools.SendEmail(CIAppGlobals.CurrentUser.UsrContactEmail, "Mobile App - Two Factor Authentication", Message)
Else
Dim sText As String = "Please contact the Administrator You do not have an email address defined within Application."
'DirectCast(HttpContext.Current.Handler, System.Web.UI.Page).ClientScript.RegisterStartupScript(Me.[GetType](), "test", "alert('" & sText & "')", True)
Response.Write("<script>alert('" & sText & "');</script>")
Thread.Sleep(5000)
'Session.Abandon()
'FormsAuthentication.SignOut()
Response.Redirect(ParentFolder & "/Login.aspx")
End If
End Sub
Your call to Response.Redirect() is causing anything you output not to be displayed. You need to remove that, then output a link or some javascript to go to the login page.
Also: you need to remove the call to Thread.Sleep(). That is causing a needless delay and keeping an asp.net thread busy doing nothing. It's not doing what you think it is...
I need to find out if a specific user belongs to a particular group for an asp website. In asp.net I know we have the option 'System.Web.HttpContext.Current.User.IsInRole'. I want to know if we have any alternative for this in classic asp. Is there any other way this can be achieved
If you're using VB Script in your .ASP page, you could use something like this
<%
strDomain = "YOURDOMAIN"
strUserName = "USERACCOUNT"
strGroupName = "Domain Users"
Set ObjUser = Getobject("WinNT://" & strDomain & "/" & strUserName & ",user")
For Each objGroup in ObjUser.Groups
If UCase(strGroupName) = UCase(objGroup.Name) Then
'Found a match!
End If
Next
%>