This topic is locked

Problem with User Security

7/27/2006 9:50:46 AM
ASPRunnerPro General questions
B
berkeleyjw author

I am trying to use the advanced security option. I have a table with username, password, group, and person_id.
I selected the correct table fields for the user name and password on the ASP Runner securitty setup.
I set up group permissions correctly in Advanced Security.
I even tried setting up a default user group security.
No matter what I do, I cannot get this to work. It always says "invalid login."
I can sign on when I use the "hard-coded" account, or I use the "sign on as guest/read-only" feature. Otherwise, I cannot sign on at all.
I am not using encrypted passwords (only cleartext passwotrds) because I cannot run the encrypt.asp against the table successfully (see appendix below).
UPDATE:
In the login.jsp page that is generated, the following select statement makes it appear impossible that this will work corectly:
Set rsTemp = server.CreateObject("ADODB.Recordset")

rsTemp.open "select * from " & cLoginTable & " where 1=0", dbConnection,1, 2
Please help. Thanks.
APPENDIX:
I downloaded and ran the encrypt.asp program. Page loaded and indicated that it would update over 300 rows in the table. But when I clicked "Start" I got the following error:
The page cannot be displayed

There is a problem with the page you are trying to reach and it cannot be displayed.
--------------------------------------------------------------------------------
Please try the following:
Click the Refresh button, or try again later.
Open the localhost home page, and then look for links to the information you want.

HTTP 500.100 - Internal Server Error - ASP error

Internet Information Services
--------------------------------------------------------------------------------
Technical Information (for support personnel)
Error Type:

Microsoft OLE DB Provider for ODBC Drivers (0x80040E21)

Multiple-step OLE DB operation generated errors. Check each OLE DB status value, if available. No work was done.

/ASPRunnerPro/encrypt.asp, line 19
Browser Type:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Page:

GET /ASPRunnerPro/encrypt.asp
Time:

Thursday, July 27, 2006, 9:37:31 AM
More information:

Microsoft Support

Alexey admin 7/27/2006

Jim,
please zip and send to support@xlinesoft.com the full set of generated ASP files along with your database or database creation script. I'll find what's wrong with your project running it on my test box.
BTW, encrypted passwords are 32 characters long.

Make sure your password field is wide enough to hold 32 symbols.

B
berkeleyjw author 7/27/2006

Alexey,
On the login.asp page, I had to modify the line
if request("username")=CStr(rs(cUserNameField)) and password=CStr(rs(cPasswordField)) then
as follows:
if request("username")=rtrim(CStr(rs(cUserNameField))) and password=rtrim(CStr(rs(cPasswordField))) then
For some reason, then the name and password fields are read from the database, the ASP puts an extra space at the end of the strings. So, they will never match.
I made sure there was not an extra space at the end of these fields as they are stored in the database.
I don't know why the extra space keeps re-appearing whenever the user name / password are read from the database table. (I use MS-SQL Server).
After I changed the code on login.asp, I was able to sign on as a user from the database table.
I guess my only option is to modify the source template somehow.

B
berkeleyjw author 7/27/2006

Additionally, when I tried using the MD5 encryption (after increasing the field size - it cannot be 32 exactly or else the system seems to think the fields are already encrypted), I ran into a similar problem with not being able to log in. First, I ran the encrypt.asp program, but this ran the MD5 hashing algorithm against the database fields as if they had an extra space at the end.
So, after a user entered a password on the login screen, it gets hashed as if it has NO space at the end, so it never matches with the stored hashed password in the database.
I had to change the downloaded encrypt.asp program as follows:
if not encrypted(rs(cPasswordField)) then

rs(cPasswordField)=md5(rtrim(rs(cPasswordField)))
After I re-ran this against the table (I had it backed up), the passwords entered through the login screen (after being hashed) correctly matched the stored hashed passwords in the database.
I assume this will also be an issue if I ever let users change their own passwords, etc. Please look into this. If no other users have been reporting this, maybe it is somehting specific to MS-SQL Server ? (A lot of users seem to be using MS-Access).

Alexey admin 8/1/2006

Jim,
looks like you use fields of CHAR type for username and password.

It's not a good idea.
I recommend you to change them to VARCHAR
Here is the article about this issue:

http://www.xlinesoft.com/articles/invalid_login.htm