|
It is not a good practise to use others code, specially for exam. But U can take a help. If you need any help to transfer file using ASP technology, then I can help you. You may mail me at himadrish@yahoo.com. I have very good codes which helps you a lot to transfer file over the internet or intranet.
Himadrish Laha
|
|
|
|
|
Hi...
I am using cookies in my website to identify users... every user has username and password... I have an option for making the user remember his name...
Some users where simply able to modify the saved Cookie and change the name to use other user's names!!
The username in that case must be the same number of Characters as the stolen name...
How can Iprevent that in the most simple way?? is there a way to make the cookie more secure and prevent users from editing them??
I will appreciate a quick response from anyone of you...
Regards to all...
|
|
|
|
|
MatrixUndone wrote:
I am using cookies in my website to identify users... every user has username and password... I have an option for making the user remember his name...
Some users where simply able to modify the saved Cookie and change the name to use other user's names!!
The username in that case must be the same number of Characters as the stolen name...
How can Iprevent that in the most simple way?? is there a way to make the cookie more secure and prevent users from editing them??
That isn't really possible - cookies are just a text a file on the end users machine and they should be allowed to edit them if they really want to.
What you really need to do is provide extra checks to ensure that the cookie you wrote was the one that gets sent back later on.
You could use a hash of the username and password (and/or other suitable information) and store that in the cookie as well - this can be rechecked on your end quite simply, and if they don't match, then force the user to log in as normal. Whatever you do, the hash has to be generated from at least some information the "evil" user has not got access to - such as passwords you store in a database on your site.
If you generate a hash from just the cookie information, then an "evil" user can generate it too, using the information he wants in that cookie.
If you're using ASP.NET, investigate Forms Authentication, as this can provide the authentication facilities you're looking for.
--
Ian Darling
"The moral of the story is that with a contrived example, you can prove anything." - Joel Spolsky
|
|
|
|
|
Dear Ian
Thank for the reply...
is there a way or a simple script that I can use to encrypt cookies??
|
|
|
|
|
As he said, if you are using ASP.NET, you can encrypt your ticket using the machine key configured in your machine.config or Web.config script (the default is randomly generated). See my article, Role-based Security with Forms Authentication[^] for some brief details.
If you're not using ASP.NET, you have to decide whether to use a javascript file to hash the value on the client side, or to use some ASP code (or COM object) to do it on the server. For MD5 hashes, there is a myriad of examples on the 'net. To do this on the client, there's many javascripts you can use. According to a discussion I was checking out the other day (can't remember if it was here or /.), Yahoo! mail does this on the client before sending the password if the user opts to not use HTTPS (HTTP over SSL) - and who knows why anyone wouldn't want to use HTTPS!
-----BEGIN GEEK CODE BLOCK-----
Version: 3.21
GCS/G/MU d- s: a- C++++ UL@ P++(+++) L+(--) E--- W+++ N++ o+ K? w++++ O- M(+) V? PS-- PE Y++ PGP++ t++@ 5 X+++ R+@ tv+ b(-)>b++ DI++++ D+ G e++>+++ h---* r+++ y+++
-----END GEEK CODE BLOCK-----
|
|
|
|
|
Thanks Heath Stewart!
Can you please explain to me more on what should I do?? and if you can write down the JavaScript you're talking about and how to use it with Cookies... I will be grateful!!
Thanks already!
|
|
|
|
|
You should discover this for yourself. Just download one of those javascript files that I gave you a search link for. If you look on those pages, most should contain examples of what to do. Essentially, you just hash the password before you submit a form and send the password hash, or store the password hash in a cookie using client-side javascript. Just make sure your client script and the server use the same hashing algorithm, such as MD5 or SHA1 - both mathematically irreversable (known as a one-way hash or digest).
-----BEGIN GEEK CODE BLOCK-----
Version: 3.21
GCS/G/MU d- s: a- C++++ UL@ P++(+++) L+(--) E--- W+++ N++ o+ K? w++++ O- M(+) V? PS-- PE Y++ PGP++ t++@ 5 X+++ R+@ tv+ b(-)>b++ DI++++ D+ G e++>+++ h---* r+++ y+++
-----END GEEK CODE BLOCK-----
|
|
|
|
|
Hello, I am getting a contract programmer to do some web development for me (ecommerce site). Should I go for a java, asp.net or windows desktop version? what are the pros/cons of each? or should I go for all 3?
|
|
|
|
|
What you should do is hire me
Seriously, these a pretty broad questions to get answered here.
|
|
|
|
|
yeah, i know it is a very broad queation, but I thought it might open up a broad discussion about the major points. Im tending to steer away from the java platform given that a windows/desktop version is so much more powerful - but then how realsitic is than everyone can 1. load software onto their machine and 2. assume everyone uses windows
|
|
|
|
|
Instead of using onclick , you can use a real <a> tag with javascript: in the href , e.g.:
<a href="javascript:load_musique();">Musique</a>
- Mike
|
|
|
|
|
hooo!! nice, thanks!
Maximilien Lincourt
"Never underestimate the bandwidth of a station wagon filled with backup tapes." ("Computer Networks" by Andrew S Tannenbaum )
|
|
|
|
|
Hello, I've got the following code
test.asp
<%@ language="Javascript" %>
<%
var Connection,Recordset;
Connection = Server.CreateObject("ADODB.Connection");
Connection.Open("thesourcename");
var strSQLQuery = "SELECT * FROM clients WHERE .... "
Recordset = Connection.Execute(strSQLQuery);
Session("test") = Recordset.Fields("user_name");
Response.Redirect("test1.asp");
%>
and I've got another code ...
test1.asp
<%@ language="Javascript" %>
<%
Response.Write(Session("test"));
%>
Someone PLEASE tell me what am I doing WROOOOOOOOONG bacause ASP is driving me crazy. The book sais that the Session object should store the values from page to page.
I get an ADODB.Field no longer available error message. Could someone please tell me why ?????????????????
I've got almost the same code in VBScript and it works ....
WHAT'S WRONG ??
Thank you !
|
|
|
|
|
Apologies for not answering your actual question but don't do what you are doing. You are leaving connection objects to the database open, redirecting to other pages without closing them. That is not good.
Maybe explain what you want to do and we can recommend some better ways of doing it.
regards,
Paul Watson
Bluegrass
South Africa
Brian Welsch wrote:
"blah blah blah, maybe a potato?" while translating my Afrikaans.
Crikey! ain't life grand?
|
|
|
|
|
Don't mind the fact that I'm not closing the recordset and the connection. In real life I do that ...
The problem is that I want the test1.asp script to display the content of the Session("UserName") but I am not succesful because I get an error saying that :
Error Type:
ADODB.Field (0x80020009)
Object is no longer valid.
/meteo/test1.asp, line 3
Here is the code:
test.asp
<%@ language="Javascript" %>
<%
var Connection,Recordset;
Connection = Server.CreateObject("ADODB.Connection");
Recordset = Server.CreateObject("ADODB.Recordset");
Connection.Open("Clienti");
var strSQLQuery = "SELECT * FROM clienti WHERE nume_utilizator = \'" + "radio" +"\'";
Recordset=Connection.Execute(strSQLQuery);
Session("UserName") = Recordset.Fields("nume_utilizator");
Recordset.Close();
Connection.Close();
Response.Redirect("test1.asp");
%>
and test1.asp
<%@ language="Javascript" %>
<%
Response.Write(Session("UserName"));
%>
|
|
|
|
|
Ok, my ASP is a bit rusty but I think the problem is because you are storing the object itself, not the value. Because you close the connection, the object becomes invalid.
Damn, JScript needs a ToString() method
David Wulff, a JScript genius, says you should use Session("UserName") = String(Recordset.Fields("nume_utilizator")); .
regards,
Paul Watson
Bluegrass
South Africa
Brian Welsch wrote:
"blah blah blah, maybe a potato?" while translating my Afrikaans.
Crikey! ain't life grand?
|
|
|
|
|
Seems to be working (for now) ... thank you !
|
|
|
|
|
Use the below
<% @LANGUAGE = VBScript%>
This will also help you to get rid from unimportant error.
And be COOL.
Himadrish Laha
|
|
|
|
|
Hi, I'm a bit confused trying to distinguish between RegionInfo and CultureInfo, after reading a few articles. So, please let me know if my understanding is correct:
1. "CultureInfo":
1.1 CurrentCulture, of type CultureInfo, is for "functions" or "Methods" that formats according to Thread.CurrentThread.CurrrentCulture". Example:
MyDate.ToString(); //This will format according to "CurrentCulture"
Reference: http://docs.aspng.com/quickstart/aspplus/doc/internationalization.aspx
"CurrentUICulture", like CurrentCulture, is of Type "CultureInfo". The difference is that CurrentUICulture is used in locating the appropriate satellite assembly. Say, if CurrentCulture="US-En" and CurrentUICulture="de-DE", then, the framework will still look under "de-DE" folder for the satellite assembly when ResourceManager is instructed to do so. But, still, why distinguish between the two. CurrentCulture and CurrentUICulture? Has anyone find themselves in situation in which CurrentCulture needs to be different form CurrentUICulture??
2. RegionInfo: I have no idea what we need this for... Although reference can be found here:
http://docs.aspng.com/quickstart/aspplus/doc/cultureencoding.aspx
Why region? Is all that it do is to tell what Currency Symbol and metric or not? Why not embed this information in CultureInfo??
Thanks!
|
|
|
|
|
Hello,
Currently I have an ASP based login system where once the user's credentials are checked, it cookies them with their username and password. On every protected page an include file revalidates that information and redirects the user if it doesn't match the information in the database. Instead, after verifying the user's credentials, could I set a session variable and then just check for that session variable being set in the include file? Are there any possible security issues that could arise from this setup (I'm aware of some of the ones in my current setup)?
Thanks,
Aaron Stubbendieck
modified 12-Jul-20 21:01pm.
|
|
|
|
|
You can set session variables as such:
<br />
Session("userName") = strUserName<br />
and then access the variable as such:
<br />
strUserName = Session("userName")<br />
and you can check it within your include as such:
<br />
If Len(Session("userName"))=0 Then<br />
Response.Redirect "login.asp"<br />
End If<br />
Or have a boolean variable:
<br />
If Not Session("isLogged") Then<br />
Response.Redirect "login.asp"<br />
End If<br />
You can acces Session variable from anywhere in your ASP app.
theJazzyBrain
Wise is he who asks good questions, not he who gives good answers
|
|
|
|
|
Thanks, I'll try that out.
Aaron Stubbendieck
modified 12-Jul-20 21:01pm.
|
|
|
|
|
Under normal circumstances the Session is stored using cookies anyway. But using the Session object is easier. Certainly we have used Session for login validation on each page, it works fine.
I would recommend not storing the password and username pair in a cookie unless you are using some devious encryption. Even then, rather don't.
regards,
Paul Watson
Bluegrass
South Africa
Brian Welsch wrote:
"blah blah blah, maybe a potato?" while translating my Afrikaans.
Crikey! ain't life grand?
|
|
|
|
|
Thanks, I was aware that cookies would be used anyway but I'm glad to hear its a practical approach. Storing the password in the cookie was my may concern since it is transmitted plain text.
Thanks,
Aaron Stubbendieck
modified 12-Jul-20 21:01pm.
|
|
|
|
|
How would I go about serializing a method call in a SOAP format without calling a web service? I want to queue these calls before transporting them, so I want to call a method on a proxy, and have the proxy give me the SOAP document that it would normally POST to the web service.
|
|
|
|