Topic awaiting preservation: Adding a secure section to your website (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=31587" title="Pages that link to Topic awaiting preservation: Adding a secure section to your website (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: Adding a secure section to your website <span class="small">(Page 1 of 1)</span>\$

Blaise Paranoid (IV) Inmate From: London Insane since: Jun 2003	posted 01-13-2010 10:25 Hello, I've picked up a project that's a bit of a Frankenstein between old ASP and HTML, it's a website that has a client access area which starts with a login page that checks for a username and password and then (depending on a match) will redirect the user to a specific clients subdirectory. The login works by having an HTML form submit to an ASP page, this page has logic to check for a username and password match (the usernames and passwords are hard coded into this page), it also sets a session. the pages that it redirects to are only HTML though, so I'm convinced the session isn't being used to validate authentication. Sure enough if you try and navigate directly to a clients subdirectory you can access their files, this isn't acceptable. As I don't want to rename all pages to .asp and add a session check, I would like to know if there's a way to use this authentication across the board, perhaps using the .htaccess file? I'm not familiar with using this so any help or links would be appreciated. Also will I be able to stop search engines indexing the folders here too? TIA, Cheers, Blaise
kimson Paranoid (IV) Inmate From: Mercury City Insane since: Jan 2005	posted 01-13-2010 10:44 quote: Blaise said: Also will I be able to stop search engines indexing the folders here too? I believe robots will not attempt to reach your folder's content if it requires login ? this topic gives the beginning of an answer on how to enable indexing. But you can also use rules in the robots.txt file, in order to make sure that all your restricted pages are not indexed.
Blaise Paranoid (IV) Inmate From: London Insane since: Jun 2003	posted 01-13-2010 11:38 Or Global.asa files, is this what I'm looking for? It appears that this is an IIS server as ASP works, is .htaccess only for Apache?
kimson Paranoid (IV) Inmate From: Mercury City Insane since: Jan 2005	posted 01-13-2010 13:24 I've never heard of the possibility of specifying some indexing options in a Global.asa file personally. The answer I gave you was specifically for your indexing issue, and I don't think you can resolve it with a Global.asa file ? but I might be wrong.
argo_navis Nervous Wreck (II) Inmate From: Insane since: Apr 2008	posted 01-13-2010 14:13 I take it you are running an IIS server? In that case, .htaccess isa useless. Depending on versions, ISAPI filters might be needed (plain vanilla asp) or you'll have to configure roles in asp.net. .htaccess is for Apache. .asa files (so I believe it's ASP 3) will do for the first part, don't remember the details but you get application-wide variables (so you could easily compare a username to a directory structure, Server.MapPath should give you the directory, Split, split the string, etc. The last part, though, blocking bots, is, again, defined either at web user/role level (.Net), or using an ISAPI filter like : http://weblogs.asp.net/scottgu/archive/2007/03/04/tip-trick-integrating-asp-net-security-with-classic-asp-and-non-asp-net-urls.aspx And yeah, I sort of sold my soul to 'crosoft (just kidding, am still the same good ol' polyvalent me). Now where was that java question... (Edited by argo_navis on 01-13-2010 14:14)
Blaise Paranoid (IV) Inmate From: London Insane since: Jun 2003	posted 01-13-2010 14:15 Ok, so I've created a robots.txt to manage search engines, and I've checked out a Global.asa file to create a global session I can check against the users current session, I guess I will need to convert all HTML pages to ASP pages though to get this to work, sigh
argo_navis Nervous Wreck (II) Inmate From: Insane since: Apr 2008	posted 01-13-2010 14:16 Blaise : check the above link, it contains everything you need to know.
Blaise Paranoid (IV) Inmate From: London Insane since: Jun 2003	posted 01-13-2010 16:03 Unfortunately I don't have access to the WebServer to make these changes. However I have soldiered ahead with changing all HTML files to ASP, and added a security check to the top of each page, however I've realised a problem. The username and password combination sets the Session("access") variable to the client name, and redirects the user to their specific subfolder. My problem is that there's no check for authenticated clients going from one folder to the next, here's the code I used. code: <% IF NOT Application("session") = Session("access") OR Application("session") = "" THEN Response.Redirect("../index.html") END IF %> So this will stop people that haven't logged in basically, but doesn't successfully check differences between the Application("session") and Session("access") because these two are set to be the same when a user logs in. I'm thinking the only way I can check that the user is in the right place is by checking the folder structure matches the session name (which they all do currently, and I could enforce the naming convention), but I don't know how to do that accurately, or if it's the best solution.
argo_navis Nervous Wreck (II) Inmate From: Insane since: Apr 2008	posted 01-14-2010 01:53 Okay, bear with me... You could, say, create an "Object" with session scope in the global.asa How-to : http://www.w3schools.com/ASP/asp_globalasa.asp Then, once the user is logged in, assign his username to that object. And then, in each script (yeah, I know), include a Sub which will split the current path ( Server.MapPath("/") ) and test is the username is present within it. ...Do you see what I mean here?
argo_navis Nervous Wreck (II) Inmate From: Insane since: Apr 2008	posted 01-14-2010 07:47 ....In the 21st century, that "post too old" feature is a really terrible idea Yes, it enforces responsibility, but it's a pain in the rear. Since I can't edit : http://www.christopherjason.com/asp/includes-using-asp-classic/ Good option : you got your username in a variable, now create an include file with a procedure that, indeed, compares the current file / folder path to that username, and slap it in all pages you want to control. It's been a while since I last used ASP classic, but I strongly believe it's your best option in this case.
Blaise Paranoid (IV) Inmate From: London Insane since: Jun 2003	posted 01-14-2010 11:00 This is the code I ran with in the end. Global.asa code: sub Session_OnStart Application("session")="" end sub Authenticate.asp (This is where my form submits to) code: password = LCase(Request.Form("pword")) user = LCase(Request.Form("uname")) location = "" Session("access") = "" IF (user = "test" AND password = "testpass") Then Session("access") = "test_account" location = "test_account/index.asp" END IF Application("session") = Session("access") dim folder set folder = Server.CreateObject("Scripting.FielSystemObject") Response.Redirect("location") Head of each client page (This should probably be in an include) code: Dim folder, client Set folder = Server.CreateObject("Scripting.FileSystemObject") client = folder.GetParentFolderName(Request.ServerVariables("SCRIPT_NAME")) client = Right(client,InStrRev(client, "/")) Session("access") = client IF NOT Application("session") = Session("access") OR Application("session") = "" THEN Response.Redirect("../index.html") END IF It works, I'm not sure how secure it is, any thoughts? (Edited by Blaise on 01-14-2010 11:01)
argo_navis Nervous Wreck (II) Inmate From: Insane since: Apr 2008	posted 01-14-2010 12:53 Yeah, it's safe. For memory/speed, you could skip the FSO (FileSystemObject) and tap into the built-in Server object, but you're good to go.

Topic awaiting preservation: Adding a secure section to your website (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=31587" title="Pages that link to Topic awaiting preservation: Adding a secure section to your website (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: Adding a secure section to your website <span class="small">(Page 1 of 1)</span>\$

Blaise
Paranoid (IV) Inmate

From: London
Insane since: Jun 2003

posted 01-13-2010 10:25

Hello,

I've picked up a project that's a bit of a Frankenstein between old ASP and HTML, it's a website that has a client access area which starts with a login page that checks for a username and password and then (depending on a match) will redirect the user to a specific clients subdirectory.

The login works by having an HTML form submit to an ASP page, this page has logic to check for a username and password match (the usernames and passwords are hard coded into this page), it also sets a session. the pages that it redirects to are only HTML though, so I'm convinced the session isn't being used to validate authentication.

Sure enough if you try and navigate directly to a clients subdirectory you can access their files, this isn't acceptable.

As I don't want to rename all pages to .asp and add a session check, I would like to know if there's a way to use this authentication across the board, perhaps using the .htaccess file? I'm not familiar with using this so any help or links would be appreciated.

Also will I be able to stop search engines indexing the folders here too?

TIA,

Cheers,

Blaise

kimson
Paranoid (IV) Inmate

From: Mercury City
Insane since: Jan 2005

posted 01-13-2010 10:44

quote:

Blaise said:

Also will I be able to stop search engines indexing the folders here too?

I believe robots will not attempt to reach your folder's content if it requires login ? this topic gives the beginning of an answer on how to enable indexing. But you can also use rules in the robots.txt file, in order to make sure that all your restricted pages are not indexed.

Blaise
Paranoid (IV) Inmate

From: London
Insane since: Jun 2003

posted 01-13-2010 11:38

Or Global.asa files, is this what I'm looking for? It appears that this is an IIS server as ASP works, is .htaccess only for Apache?

kimson
Paranoid (IV) Inmate

From: Mercury City
Insane since: Jan 2005

posted 01-13-2010 13:24

I've never heard of the possibility of specifying some indexing options in a Global.asa file personally. The answer I gave you was specifically for your indexing issue, and I don't think you can resolve it with a Global.asa file ? but I might be wrong.

argo_navis
Nervous Wreck (II) Inmate

From:
Insane since: Apr 2008

posted 01-13-2010 14:13

I take it you are running an IIS server? In that case, .htaccess isa useless. Depending on versions, ISAPI filters might be needed (plain vanilla asp) or you'll have to configure roles in asp.net.

.htaccess is for Apache.

.asa files (so I believe it's ASP 3) will do for the first part, don't remember the details but you get application-wide variables (so you could easily compare a username to a directory structure, Server.MapPath should give you the directory, Split, split the string, etc.

The last part, though, blocking bots, is, again, defined either at web user/role level (.Net), or using an ISAPI filter like :
http://weblogs.asp.net/scottgu/archive/2007/03/04/tip-trick-integrating-asp-net-security-with-classic-asp-and-non-asp-net-urls.aspx

And yeah, I sort of sold my soul to 'crosoft (just kidding, am still the same good ol' polyvalent me).
Now where was that java question...

(Edited by argo_navis on 01-13-2010 14:14)

Blaise
Paranoid (IV) Inmate

From: London
Insane since: Jun 2003

posted 01-13-2010 14:15

Ok, so I've created a robots.txt to manage search engines, and I've checked out a Global.asa file to create a global session I can check against the users current session, I guess I will need to convert all HTML pages to ASP pages though to get this to work, *sigh*

argo_navis
Nervous Wreck (II) Inmate

From:
Insane since: Apr 2008

posted 01-13-2010 14:16

Blaise : check the above link, it contains everything you need to know.

Blaise
Paranoid (IV) Inmate

From: London
Insane since: Jun 2003

posted 01-13-2010 16:03

Unfortunately I don't have access to the WebServer to make these changes.

However I have soldiered ahead with changing all HTML files to ASP, and added a security check to the top of each page, however I've realised a problem. The username and password combination sets the Session("access") variable to the client name, and redirects the user to their specific subfolder.

My problem is that there's no check for authenticated clients going from one folder to the next, here's the code I used.

code:

<%
IF NOT Application("session") = Session("access") OR Application("session") = "" THEN
	Response.Redirect("../index.html")
END IF
%>

So this will stop people that haven't logged in basically, but doesn't successfully check differences between the Application("session") and Session("access") because these two are set to be the same when a user logs in.

I'm thinking the only way I can check that the user is in the right place is by checking the folder structure matches the session name (which they all do currently, and I could enforce the naming convention), but I don't know how to do that accurately, or if it's the best solution.

argo_navis
Nervous Wreck (II) Inmate

From:
Insane since: Apr 2008

posted 01-14-2010 01:53

Okay, bear with me...

You could, say, create an "Object" with session scope in the global.asa

How-to :
http://www.w3schools.com/ASP/asp_globalasa.asp

Then, once the user is logged in, assign his username to that object.
And then, in each script (yeah, I know), include a Sub which will split the current path ( Server.MapPath("/") )
and test is the username is present within it.

...Do you see what I mean here?

argo_navis
Nervous Wreck (II) Inmate

From:
Insane since: Apr 2008

posted 01-14-2010 07:47

....In the 21st century, that "post too old" feature is a really terrible idea
Yes, it enforces responsibility, but it's a pain in the rear.

Since I can't edit : http://www.christopherjason.com/asp/includes-using-asp-classic/

Good option : you got your username in a variable, now create an include file with a procedure that, indeed,
compares the current file / folder path to that username, and slap it in all pages you want to control.
It's been a while since I last used ASP classic, but I strongly believe it's your best option in this case.

Blaise
Paranoid (IV) Inmate

From: London
Insane since: Jun 2003

posted 01-14-2010 11:00

This is the code I ran with in the end.

Global.asa

code:

sub Session_OnStart
	Application("session")=""
end sub

Authenticate.asp (This is where my form submits to)

code:

password = LCase(Request.Form("pword"))
user = LCase(Request.Form("uname"))

location = ""
Session("access") = ""

IF  (user = "test" AND password = "testpass") Then
    Session("access") = "test_account"
    location = "test_account/index.asp"
END IF

Application("session") = Session("access")
	
dim folder
set folder = Server.CreateObject("Scripting.FielSystemObject")

Response.Redirect("location")

Head of each client page (This should probably be in an include)

code:

Dim folder, client
Set folder = Server.CreateObject("Scripting.FileSystemObject")
client = folder.GetParentFolderName(Request.ServerVariables("SCRIPT_NAME"))
client = Right(client,InStrRev(client, "/"))
Session("access") = client

IF NOT Application("session") = Session("access") OR Application("session") = "" THEN
	Response.Redirect("../index.html")
END IF

It works, I'm not sure how secure it is, any thoughts?

(Edited by Blaise on 01-14-2010 11:01)

argo_navis
Nervous Wreck (II) Inmate

From:
Insane since: Apr 2008

posted 01-14-2010 12:53

Yeah, it's safe. For memory/speed, you could skip the FSO (FileSystemObject) and tap into the built-in Server object, but you're good to go.