Active InfoActive Info  Display List of Info MembersMemberlist  Search The InfoSearch  HelpHelp
  RegisterRegister  LoginLogin
ASPProtect Full 6.x Archives (Info Locked Info Locked)
 CJWSoft Support Info : ASPProtect Full 6.x Archives
Subject Info: Unable to login with IE A d d - P o s tAdd P o s t
Author
Message << Prev Info | Next Info >>
dododi
New User
New User


Joined: October/07/2004
Location: Australia
Online Status: Offline
Info: 13
Added: August/07/2005 at 10:30pm | IP Logged Quote dododi
I posted this in the wrong forum. Sorry.

I have installed ASPProtect on a client's website and I have been notified that some of their customers have been unable to login to the protected pages.

On testing it seems that the issues seem to be related to how cookies are being stored by IE 6.

ASPProtect is being used to protect particular template files within a Content Mangement System. 90% of the time it is working fine but on the odd occassion particular cutomers are unabe to login.

After quite a bit of testing I have managed to find the scenario in which it starts to have problems and was hoping you may be able to provide a solution.

If a customer enters the wrong password, then reenters the correct username and password, they receive a message "template can not be found" from the Content Management System. This message is generated when a url is entered that contains a link to a template file that does not exist. In this case the template does exist. If I remove the ASPProtect code the page opens without error.

Everytime they re-enter the details they receive the same message.

If they close down the browser and then reenter the correct details in some instances the page will open correctly.

More often than not, they have to delete cookies and temporary files and  close the browser. This seems to fix the problem again for most users. For users who's web access is heavily cached by an internal server, even this does not work.

Have you come across this problem before and can you suggest a remedy.

If you can email me privately I can give you the URL and access codes.

Thanks,

Stuart
Back to Top View dododi's Profile Search for other info by dododi
 
cwilliams
Admin Group
Admin Group
Avatar
CJWSoft Web Software Developer

Joined: April/06/2004
Online Status: Offline
Info: 1769
Added: August/08/2005 at 10:10pm | IP Logged Quote cwilliams

ok, PM me some additional info so I can go look around.

I dont quite understand everything going on.

Let me know what to do exactly to be successful logging in and also...

Let me know what to do exactly to reproduce the issue and I will tell you what I think.



__________________
Best Regards, Christopher Williams www.CJWSoft.com
Back to Top View cwilliams's Profile Search for other info by cwilliams Visit cwilliams's Homepage
 
cwilliams
Admin Group
Admin Group
Avatar
CJWSoft Web Software Developer

Joined: April/06/2004
Online Status: Offline
Info: 1769
Added: August/10/2005 at 1:56am | IP Logged Quote cwilliams

ok, here is what is going on

you are password protecting an ".asp" page that requires querystring info to run correctly   (example - "somepage.asp?ID=3"")

that is something I never intended anyone to do.. while it does handle and repass the querystring info along during successful login it does not re-pass that info during a failed login as you have found out

this is all by design.. the only reason the system re-passes the querystring info at all is because I wanted to make it smart for the sake of the remember me/cookie feature.. so if someone was using that and bookmarked a page deep in your site with querstring info...then when they went back to that bookmark they would get authenticated and still see the page as intended with the querystring info in tact

it was a nice feature never intended to handle any situations other than what I just described...

now...
notice the url in the browser after failing a login.. then logging in successfully.. it is missing the querystring info

that more than anything is what is going on..  browser caching can cause some confusion when dealing with this because the browser likes to return you to the page minus the querstring info... when that happens a simple browser refresh at that time may very well solve the problem and then you see the page you are supposed to see...

To avoid all of this...

One solution to this is to always start people logging in to an ".asp" page that has no querystring info. That way this won't happen. Once they are logged in you can then offer them links to the pages they need to go to. (you of course still want to password protect those pages)

Another solution is to log them into a page with no querystring info and then do a response.redirect to the page with quersytring info.. thus accomplishing the same thing but without the possibility of the issue because of a failed login.

Another solutions is to do checks in your asp page for missing querstring info.. and if it isn't there do something about it like send them somewhere else.. or display a message about there being an error... etc etc

So,basically you don't want to tell people to login into such and such page with querstring info... and providing a username and password..... You can do it but like you found out it can cause an error if they mess up logging in the 1st time. The system just was not designed to handle that. There are complex reasons for that involving security that would just take me too long to explain.

I hope this makes some sense to you.. it is very hard to try and explain



__________________
Best Regards, Christopher Williams www.CJWSoft.com
Back to Top View cwilliams's Profile Search for other info by cwilliams Visit cwilliams's Homepage
 
dododi
New User
New User


Joined: October/07/2004
Location: Australia
Online Status: Offline
Info: 13
Added: August/10/2005 at 10:04pm | IP Logged Quote dododi
Chris,

Thanks for the reply. It all makes sense.

I have gone with your first option but here is the problem:

I have moved the password protected page from the detail page with the querystring to the straight .asp page. This obviously fixes the previous error.

Once someone has logged in they are then presented with a list of links to the previously protected pricelist detail pages (example - "somepage.asp?ID=3""). They are then able to access the pricelists.

The problem is that if someone copies the pricelist URL they are then able to pass it on to someone else and bypass the password protection.

If I also password protect the pricelist pages then someone will have to login twice.

Is there some code that i can add that will simply check that they have logged in otherwise kick them back out to the protected .asp page.

All code in your documentation tends to open the login page regardless of whether you have previously logged in.


Thanks,

Stuart
Back to Top View dododi's Profile Search for other info by dododi
 
cwilliams
Admin Group
Admin Group
Avatar
CJWSoft Web Software Developer

Joined: April/06/2004
Online Status: Offline
Info: 1769
Added: August/10/2005 at 10:11pm | IP Logged Quote cwilliams

If I also password protect the pricelist pages then someone will have to login twice.

nobody should have to log in twice... ?

session variables keep track of access... once your in - your in and you can browse to and from any password protected pages you like

If it is making you log in each time then cookies are most likely disabled.. session variables requires cookies being on to work.. cookies being on  is a requirement of aspprotect and is how Formed Based Authentication works..

let me know if that is the issue there...

you shouldnt have to be logging in more than once per session

Thats the whole point of the application...



__________________
Best Regards, Christopher Williams www.CJWSoft.com
Back to Top View cwilliams's Profile Search for other info by cwilliams Visit cwilliams's Homepage
 
dododi
New User
New User


Joined: October/07/2004
Location: Australia
Online Status: Offline
Info: 13
Added: August/10/2005 at 10:48pm | IP Logged Quote dododi
Thanks Chris.

Yes i never actually considered that they should log in twice.

The site uses two main url and the cookie was being stored for only one of  them. I have fixed the double login issue by making changes to menu to ensure that they are always logging only via the url stored in the cookie.

Thanks for your hep,

Stuart
Back to Top View dododi's Profile Search for other info by dododi
 
cwilliams
Admin Group
Admin Group
Avatar
CJWSoft Web Software Developer

Joined: April/06/2004
Online Status: Offline
Info: 1769
Added: August/11/2005 at 3:01pm | IP Logged Quote cwilliams

ya,

any variation of a site url is going to have its own set of application and session variables.. soy you have to be consistant with your navigation links

example (for anyone that comes across this thread)

http://www.examplesite.com/somepage.asp

is going to have a different set of application and session variables then

http://examplesite.com/somepage.asp

even though they are basically the same page



__________________
Best Regards, Christopher Williams www.CJWSoft.com
Back to Top View cwilliams's Profile Search for other info by cwilliams Visit cwilliams's Homepage
 

Sorry, you can NOT post info.
This info has been locked by a info administrator.

  A d d - P o s tAdd P o s t
Printable version Printable version

Info Jump
You cannot add new info in this area
You cannot add to info in this area
You cannot delete your info in this area
You cannot edit your info in this area
You cannot create polls in this area
You cannot vote in polls in this area

Active Server Pages ASP ASP.NET .aspx .ascx Web HTML Developer Internet Microsoft Web Services Visual Studio .NET CJWSoft ASPProtect ASPBanner ASPClassifieds www.aspprotect.com, www.powerasp.com,www.aspclassifieds.com,www.aspphotogallery.com,www.codewanker.com