I still have passwords problems

A

Amateur

I am using ASP to display Data for my customers on the web.
I have Dataaccess pages based on tables in a database. In those table are of
course the customers informations which each customer should see.
So, if I create User permissions than each customer can see ALL information
in that table - but he should only be able to see his record(s).
a)What do I have to do that every specific customer can only see his
specific information out of the table in the dataaccess page?
b) How can I link the Web page client area password and username to see
which record the client is allowed to see in the database?
It would be nice to give me a step-by-step example of what I have to do.
Thanks for help
Klaus
 
G

G. Vaught

See Answers Inline
Amateur said:
I am using ASP to display Data for my customers on the web.
I have Dataaccess pages based on tables in a database. In those table are
of
course the customers informations which each customer should see.
So, if I create User permissions than each customer can see ALL
information
in that table - but he should only be able to see his record(s).
Click to expand...
a)What do I have to do that every specific customer can only see his
specific information out of the table in the dataaccess page?
Click to expand...

ANS: Create a table to hold the username, password, security level to the
customer. Create a login form that captures the clients username and
password they typed in. It is easiest if you use the clients Account ID as
the Username as you can then use that to filter the appropriate records.
Using a query and ASP compare the typed in info with the database info along
with the securitylevel. The security level is a way to prevent the pages
from being viewed by anyone other than a client. If all match the client
then can view the table of contents.
b) How can I link the Web page client area password and username to see
which record the client is allowed to see in the database?
Click to expand...
ANS: You will pass the username/password to each web page and check the
securitylevel at each page. For example, I have created an online request
for Courier clients to request pickup/deliveries. They log on using the
username/password assigned, which checks to see if their securitylevel
matches the setting in the page. If so, they get to the table of contents.
When they request to place an order, the Order web page again checks for the
security level and retrieves the data for that client based on his login
info. The username in this case matches the AccountId of the Client. Thus a
client can never see any other clients info. The updating of username,
passwords, and security level are done through Access, which in turns
updates the website database. Thus all control is done locally.
It would be nice to give me a step-by-step example of what I have to do.
Click to expand...
Step by Step may be to indepth for this forum. However, I will post the two
security ASP pages I use, minus any specific client detail that should get
you started. You can also search the internet for code.
Thanks for help
Klaus
Click to expand...

--------------------------------------------------------
//<securitylogin.asp>
-------------------------------------------------------
<!DOCTYPE html Public "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/xhtml1-transitional.dtd">

<%@ language=vbscript%>

<html>
<head><title>Web Order Login</title></head>
<body>

<p align="center><font class=spfont>"Online Orders Can Only Be Placed Mon
thru Fri 7am - 7pm"</font>
</p>

<form action="securityloginrespond.asp" method="post" name="frmdefault">
<table class=border align=center width=30%>
<tr>
<td>
<p class=spfont>User Name</p>
</td>
<td><input name="searchaccount"> </strong></font>
</td>
</tr>
<tr>
<td>
<p class=spfont>Password</p>
</td>
<td><input type="password" name="accountpassword"></td></tr>
<tr><td colspan=2 width="544"><font face=arial>&nbsp;</font><font color=navy
face=arial size=2></font> </td>
</tr>
<tr>
<td colspan=2 width="544" align="center"><input type=submit name=btnsubmit
value=submit>&nbsp;
<input type=reset name=reset value=reset></td>
</table>
</form>
</body>
-------------------------------------------------------
//<securityloginrespond.asp>
-------------------------------------------------------
<%@ Language=VBScript %>
<% Response.Buffer = true%>

<HTML>
<HEAD>
<TITLE>Security Login Verification</TITLE>
</HEAD>
<BODY>
<%
Dim conntemp
Dim rstemp


myname=CStr(Request.Form("SearchAccount"))
mypassword=Cstr(Request.Form("AccountPassword"))


set conntemp=Server.CreateObject ("ADODB.Connection")
conntemp.Provider = "Microsoft.Jet.OLEDB.4.0"
conntemp.ConnectionString = "Data Source=" & Server.MapPath ("\path to
database and database.mdb")
conntemp.open

set rstemp = Server.CreateObject ("ADODB.Recordset")

sqltemp="SELECT * FROM tblAccountPass where ACCOUNT='"
sqltemp=sqltemp & myname & "'"
rstemp.Open sqltemp, conntemp



If rstemp.EOF then %>
<BR>
I'm sorry, we don't have a user named <%=myname%> on file!<br>
Please contact ####### for access to this site.
<!--Please return to <A href="securitylogin.asp">Log In</a> and select
Register-->


<% Response.End

end if

If rstemp("Password")=mypassword then
session("name")=rstemp("account")
session("securitylevel")=rstemp("SecurityLevel")
Response.Redirect "toc.asp"
else
%>

Password Unrecognized<br>
Try <A href="securitylogin.asp">Try Again</a> again.
<% Response.End

end if
rstemp.close
conntemp.Close
set rstemp=nothing
set conntemp=nothing
%>

</BODY>
</HTML>
------------------------------------------------------------
Excerpt of Sample code in toc.asp
------------------------------------------------------------
<%@ LANGUAGE=vbscript%>
<%response.buffer="true"%>

<!DOCTYPE html Public "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/xhtml1-transitional.dtd">
<% If session("securitylevel") = 2 Then %> ' Pass this line to every page
you want to restrict
<% varAccount=session("name") %> ' Pass this line to every page you want to
restrict

// Menu navigation info is listed here

<% else%>
<p> You don't have permissions to view this page or there was a problem
with your login.</p>
<% end if%>
</BODY>
 
A

Amateur

Thank you very much that was the first detailed answer I got on my qustion
here. I am a starter with this subject and your answer I can understand.
Again thank you very much, I will try today and I hope that, if I do have
another question or problem you can assist me again.
Klaus
 
6

'69 Camaro

Hi.

You should also mention to Klaus that this approach has the added benefit
that the user never has to remember a password. The user can copy/paste the
Web page's data source path and file name directly into the Web browser
address bar, then press the <ENTER> key to download the MDB file onto his
hard drive.

If the user has Microsoft Access installed on his computer, he can view his
own records and _all_ customer records at his leisure. If he has another
database application, Microsoft Excel, or another spreadsheet application, he
can easily link to the tables and read the data for all customers. Even if
he doesn't have any of these applications, he can still retrieve the data for
all customers with VB Script.

Klaus doesn't have a password problem. Klaus has a design problem and a
security problem. The tools Klaus intends to use cannot secure the data when
people can access that data using a Web browser. Klaus needs a proper
client/server database, not a file based database like Access.

HTH.

Gunny

See http://www.QBuilt.com for all your database needs.
See http://www.Access.QBuilt.com for Microsoft Access tips.

(Please remove ZERO_SPAM from my reply E-mail address, so that a message
will be forwarded to me.)

- - -
When you see correct answers to your question posted in Microsoft's Online
Community, please sign in to the Community and mark these posts as "Answers,"
so that all may benefit by filtering on "Answered questions" and quickly
finding the right answers to similar questions. (Only "Answers" have green
check-marks.) Remember that the best answers are often given to those who
have a history of rewarding the contributors who have taken the time to
answer questions correctly.


G. Vaught said:
See Answers Inline



ANS: Create a table to hold the username, password, security level to the
customer. Create a login form that captures the clients username and
password they typed in. It is easiest if you use the clients Account ID as
the Username as you can then use that to filter the appropriate records.
Using a query and ASP compare the typed in info with the database info along
with the securitylevel. The security level is a way to prevent the pages
from being viewed by anyone other than a client. If all match the client
then can view the table of contents.

ANS: You will pass the username/password to each web page and check the
securitylevel at each page. For example, I have created an online request
for Courier clients to request pickup/deliveries. They log on using the
username/password assigned, which checks to see if their securitylevel
matches the setting in the page. If so, they get to the table of contents.
When they request to place an order, the Order web page again checks for the
security level and retrieves the data for that client based on his login
info. The username in this case matches the AccountId of the Client. Thus a
client can never see any other clients info. The updating of username,
passwords, and security level are done through Access, which in turns
updates the website database. Thus all control is done locally.

Step by Step may be to indepth for this forum. However, I will post the two
security ASP pages I use, minus any specific client detail that should get
you started. You can also search the internet for code.

--------------------------------------------------------
//<securitylogin.asp>
-------------------------------------------------------
<!DOCTYPE html Public "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/xhtml1-transitional.dtd">

<%@ language=vbscript%>

<html>
<head><title>Web Order Login</title></head>
<body>

<p align="center><font class=spfont>"Online Orders Can Only Be Placed Mon
thru Fri 7am - 7pm"</font>
</p>

<form action="securityloginrespond.asp" method="post" name="frmdefault">
<table class=border align=center width=30%>
<tr>
<td>
<p class=spfont>User Name</p>
</td>
<td><input name="searchaccount"> </strong></font>
</td>
</tr>
<tr>
<td>
<p class=spfont>Password</p>
</td>
<td><input type="password" name="accountpassword"></td></tr>
<tr><td colspan=2 width="544"><font face=arial> </font><font color=navy
face=arial size=2></font> </td>
</tr>
<tr>
<td colspan=2 width="544" align="center"><input type=submit name=btnsubmit
value=submit>
<input type=reset name=reset value=reset></td>
</table>
</form>
</body>
-------------------------------------------------------
//<securityloginrespond.asp>
-------------------------------------------------------
<%@ Language=VBScript %>
<% Response.Buffer = true%>

<HTML>
<HEAD>
<TITLE>Security Login Verification</TITLE>
</HEAD>
<BODY>
<%
Dim conntemp
Dim rstemp


myname=CStr(Request.Form("SearchAccount"))
mypassword=Cstr(Request.Form("AccountPassword"))


set conntemp=Server.CreateObject ("ADODB.Connection")
conntemp.Provider = "Microsoft.Jet.OLEDB.4.0"
conntemp.ConnectionString = "Data Source=" & Server.MapPath ("\path to
database and database.mdb")
conntemp.open

set rstemp = Server.CreateObject ("ADODB.Recordset")

sqltemp="SELECT * FROM tblAccountPass where ACCOUNT='"
sqltemp=sqltemp & myname & "'"
rstemp.Open sqltemp, conntemp



If rstemp.EOF then %>
<BR>
I'm sorry, we don't have a user named <%=myname%> on file!<br>
Please contact ####### for access to this site.
<!--Please return to <A href="securitylogin.asp">Log In</a> and select
Register-->


<% Response.End

end if

If rstemp("Password")=mypassword then
session("name")=rstemp("account")
session("securitylevel")=rstemp("SecurityLevel")
Response.Redirect "toc.asp"
else
%>

Password Unrecognized<br>
Try <A href="securitylogin.asp">Try Again</a> again.
<% Response.End

end if
rstemp.close
conntemp.Close
set rstemp=nothing
set conntemp=nothing
%>

</BODY>
Click to expand...
<script language="JavaScript">
<!--

window.open = SymRealWinOpen;

//-->
</script>

------------------------------------------------------------
Excerpt of Sample code in toc.asp
------------------------------------------------------------
<%@ LANGUAGE=vbscript%>
<%response.buffer="true"%>

<!DOCTYPE html Public "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/xhtml1-transitional.dtd">
<% If session("securitylevel") = 2 Then %> ' Pass this line to every page
you want to restrict
<% varAccount=session("name") %> ' Pass this line to every page you want to
restrict

// Menu navigation info is listed here

<% else%>
<p> You don't have permissions to view this page or there was a problem
with your login.</p>
<% end if%>
Click to expand...
<script language="JavaScript">
<!--

window.open = SymRealWinOpen;

//-->
</script>
 
A

Amateur

Now I am totally confused. I know it will not be easy for me to create that,
but during the last months I learned so much (OK with all your helping hands)
so that I believe, if someone would explain it to me once, on a step-to-step
basis, I could do it.
So, can you bring me into the right direction?
Thanks
Klaus
 
6

'69 Camaro

Hi, Klaus.

Unfortunately, the training you need to succeed in this isn't going to come
from a newsgroup post, or even 100 posts, for that matter. Formal training
would cost at least $6,000 and take at least six months of training
side-by-side with an experienced, security-minded Web application builder for
Oracle or SQL Server databases before you could tackle a project like this on
your own.

The cheapest and quickest way (i.e., the best way) to accomplish this task
is do it right the first time, which means hire a professional Web
application programmer who is skilled in both Internet security and database
security. These aren't the consultants that you can easily hire for $30 or
$40 an hour. They cost more, but their work doesn't have to be redone when
you discover your Web site has been hacked into because it wasn't designed to
be secure in the first place.

HTH.

Gunny

See http://www.QBuilt.com for all your database needs.
See http://www.Access.QBuilt.com for Microsoft Access tips.

(Please remove ZERO_SPAM from my reply E-mail address, so that a message
will be forwarded to me.)

- - -
When you see correct answers to your question posted in Microsoft's Online
Community, please sign in to the Community and mark these posts as "Answers,"
so that all may benefit by filtering on "Answered questions" and quickly
finding the right answers to similar questions. (Only "Answers" have green
check-marks.) Remember that the best answers are often given to those who
have a history of rewarding the contributors who have taken the time to
answer questions correctly.


Amateur said:
Now I am totally confused. I know it will not be easy for me to create that,
but during the last months I learned so much (OK with all your helping hands)
so that I believe, if someone would explain it to me once, on a step-to-step
basis, I could do it.
So, can you bring me into the right direction?
Thanks
Klaus
Click to expand...
<script language="JavaScript">
<!--

window.open = SymRealWinOpen;

//-->
</script>

<script language="JavaScript">
<!--

window.open = SymRealWinOpen;

//-->
</script>

 
A

Amateur

Thanks, I believe you are right 1/2 a job is no job and it will cost more in
the end.
All the best
Klaus
 
Top