Hope someone can help, I have a security issue on my site. My main site has a registration page where you pick a username and password to login.

I also have an admin section to my site that I don't want anyone else to access for obvious reason.

So I’ve created an Admin login page with a restricted access level so you can only login if your access level is set to Admin. This works fine if you try to login through the admin page with a username and password, that you registered with on the main site, it won’t let you in

The problem I’m having is that if you login on the main site you can access the admin pages by typing the address direct eg www.yourdomain.co.uk/admin/page.asp. Even though these pages have the restrict access behaviour.



Hope this makes sense,
thanks in advance

Wayne

Edited by - wayne1000 on 05 Sep 2003 11:29:26 <pre id=code><font face=courier size=2 id=code>&lt;%
' *** Restrict Access To Page: Grant or deny access to this page
MM_authorizedUsers="Admin"
MM_authFailedURL="../default.asp"
MM_grantAccess=false
If Session("MM_Username" &lt;&gt; "" Then
If (false Or CStr(Session("MM_UserAuthorization")="" Or _
(InStr(1,MM_authorizedUsers,Session("MM_UserAuthorization")&gt;=1) Then
MM_grantAccess = true
End If
End If
If Not MM_grantAccess Then
MM_qsChar = "?"
If (InStr(1,MM_authFailedURL,"?" &gt;= 1) Then MM_qsChar = "&"
MM_referrer = Request.ServerVariables("URL"
if (Len(Request.QueryString()) &gt; 0) Then MM_referrer = MM_referrer & "?" & Request.QueryString()
MM_authFailedURL = MM_authFailedURL & MM_qsChar & "accessdenied=" & Server.URLEncode(MM_referrer)
Response.Redirect(MM_authFailedURL)
End If
%&gt; </font id=code></pre id=code>

Edited by - wayne1000 on 05 Sep 2003 13:27:56

Wayne 1000, Have you found out a fix for this??? I have the exact same situation happening with my site. Please let me know if you found a way to correct this problem.

Thanks...

Try putting the code below in the page you want to restrict access to.

<pre id=code><font face=courier size=2 id=code>
&lt;%
' *** Restrict Access To Page: Grant or deny access to this page
MM_authorizedUsers="Admin"
MM_authFailedURL="../default.asp"
MM_grantAccess=false
If Session("MM_Username" &lt;&gt; "" Then
If (false Or CStr(Session("MM_UserAuthorization")="" Or _
(InStr(1,MM_authorizedUsers,Session("MM_UserAuthorization")&gt;=1) Then
MM_grantAccess = true
End If
End If
If Not MM_grantAccess Then
MM_qsChar = "?"
If (InStr(1,MM_authFailedURL,"?" &gt;= 1) Then MM_qsChar = "&"
MM_referrer = Request.ServerVariables("URL"
if (Len(Request.QueryString()) &gt; 0) Then MM_referrer = MM_referrer & "?" & Request.QueryString()
MM_authFailedURL = MM_authFailedURL & MM_qsChar & "accessdenied=" & Server.URLEncode(MM_referrer)
Response.Redirect(MM_authFailedURL)
End If &gt;
</font id=code></pre id=code>

You'll probable want to chane these two lines to something that is relevant to your site and DB

MM_authorizedUsers="Admin" (this is a field in the DB)
MM_authFailedURL="../default.asp"

I missed the % before the bottom &gt; because it wouldn't show up if i put it in.

Hope it helps

Hi Wayne,

That code did not work for me... First of all, it required the % before the last &gt;. But I did figure out how I can fix the problem...

I just made sure that both login sections of site required an access level. The lower, regular users, requires an access level of 1 and the admin area requires an access level of 2. If I just have the regular users login with a username and password and no access level, they can access the admin area.

Hi

I seem to recall having similar problems a while ago.
It turned out to be due to me using numbers for my access levels, as you have done.
I changed them to strings - i.e - Guest, member, admin etc and everything worked fine.

Dave

ASP|VBScript|IIS5.1|Access|WinXPPro & WinXPHome

Edited by - Davecl on 08 Oct 2003 08:07:52