Print Page | Close Window

user log-in and page restriction

Printed From: Web Wiz Forums
Category: General Discussion
Forum Name: Classic ASP Discussion
Forum Description: Discussion on Active Server Pages (Classic ASP).
URL: https://forums.webwiz.net/forum_posts.asp?TID=6469
Printed Date: 31 March 2026 at 3:07pm
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com


Topic: user log-in and page restriction
Posted By: dizzyfunk
Subject: user log-in and page restriction
Date Posted: 16 October 2003 at 8:05am

i have a users profile page where a user can view/update their info.

i need to put user log-in and restriction so that the user can't change the 'USERID' number in the querystring and see somebody elses information/details.

the user will login with their username (email address) and password. also in the database there is a unique userid number.

so i need to have a login page that takes the user to user_profile.asp?userId=15

i need to prevent the user from changing it to user_profile.asp?userId=23 and veiwing someone elses details.


Replies:
Posted By: MorningZ
Date Posted: 16 October 2003 at 8:29am

you do a check like (and this is assuming your login scheme is somehow holding the User's id in a session variable since that's locked into them):

if Session("UserID") <> Request.QueryString("UserID") then
  'Transfer them the hell out of here
end if



-------------
Contribute to the working anarchy we fondly call the Internet

Posted By: dizzyfunk
Date Posted: 16 October 2003 at 8:52am

it is.. but it's d'weaver code and i can't make sense of it!!

surely there's an easier way than having all that code??

i need to get the id_c from the DB and tag it on the end of the 'user_profile.asp' bit. al the 'MM's are confusing!!

-------------------

MM_LoginAction = Request.ServerVariables("URL")
If Request.QueryString<>"" Then MM_LoginAction = MM_LoginAction + "?" + Request.QueryString
MM_valUsername=CStr(Request.Form("email"))
If MM_valUsername <> "" Then
  MM_fldUserAuthorization="id_c"
  MM_redirectLoginSuccess="user_profile.asp"
  MM_redirectLoginFailed="login.asp?access=denied"
  MM_flag="ADODB.Recordset"
  set MM_rsUser = Server.CreateObject(MM_flag)
  MM_rsUser.ActiveConnection = MM_connIRS_STRING
  MM_rsUser.Source = "SELECT email_c, password_c"
  If MM_fldUserAuthorization <> "" Then MM_rsUser.Source = MM_rsUser.Source & "," & MM_fldUserAuthorization
  MM_rsUser.Source = MM_rsUser.Source & " FROM resource_t WHERE email_c='" & Replace(MM_valUsername,"'","''") &"' AND password_c='" & Replace(Request.Form("pword"),"'","''") & "'"
  MM_rsUser.CursorType = 0
  MM_rsUser.CursorLocation = 2
  MM_rsUser.LockType = 3
  MM_rsUser.Open
  If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then
    ' username and password match - this is a valid user
    Session("MM_Username") = MM_valUsername
    If (MM_fldUserAuthorization <> "") Then
      Session("MM_UserAuthorization") = CStr(MM_rsUser.Fields.Item(MM_fldUserAuthorization).Value)
    Else
      Session("MM_UserAuthorization") = ""
    End If
    if CStr(Request.QueryString("accessdenied")) <> "" And false Then
      MM_redirectLoginSuccess = Request.QueryString("accessdenied")
    End If
    MM_rsUser.Close
    Response.Redirect(MM_redirectLoginSuccess)
  End If
  MM_rsUser.Close
  Response.Redirect(MM_redirectLoginFailed)
End If


Print Page | Close Window

Forum Software by Web Wiz Forums® version 12.08 - https://www.webwizforums.com
Copyright ©2001-2026 Web Wiz Ltd. - https://www.webwiz.net