0

I have to show a link(Products) in the header after user login to the application. It fail to display the link at first but if I refresh the page the link appears and it logout from the application. The problem is, initially the session variable(LoginID) were I'm using to check in the condition is null, after I refresh the page the appropriate value sets in the same. The three separate page are link in the header page, the form in login page and the codebehind in the Login.asp page. Please suggest me what I'm missing here.

header.asp

Dim qcVisible, LoginID
                
LoginID=Session("LoginID")
if Session("LoginID")="invaliduser" or Session("LoginID")="" Then                 
     qcVisible = "none"  
else                  
     qcVisible = "block"     
end if

<div class="menu">
    <ul class="clearfix">
       <li class="active"><a href="home.asp">Home</a></li> 
       <li><a href="Products.asp" style="display:<%=qcVisible%>;">Products</a></li>                                
       <li><a href="#">Contact</a></li>
    </ul>
</div>

Mylogin.asp(Form)

<!--#include file="header.asp"-->

Session("LoginID")="validuser"

<form name="MyForm" method="post" action="Login.asp" id="loginform">
    <fieldset>
        <div class="field">
           <input type="text" name="LoginID" placeholder="User ID" id="LoginID" />
        </div>
        <div class="field">
            <input type="password" name="PWD" placeholder="Password" id="PWD" />                                        
        </div>                                    
        <div class="field">                                                                          
            <button class="field_bt" type="submit" form="loginform" name="submit1">Sign In</button>
        </div>
    </fieldset>
</form>

Login.asp

Login(Request.Form("LoginID"),Request.Form("PWD"))


Function Login(LoginID,Password)
  Dim objRS,strSQL
  Set objRS=Server.CreateObject ("ADODB.Recordset")
 `strSQL = Query
  objRS.Open strSQL,objconn
  If not objRs.Eof and not objRS.Bof then  
     dim muser
     muser = Mid(objRS("user_password"),1,3)
     dim mpass
     mpass = Mid(Password,1,3)      
     If trim(muser)= trim(mpass) Then
         Login=True
         Session("LoginID")=LoginID
         Session("Password")=Password
     Else
         Login=False
     End If
  End If
  objRS.Close
  Exit Function
End Function


<div class="maincontent">
    <object id="obj" data="Mylogin.asp" type="text/html"></object> 
</div>

Before Login enter image description here

After login and refresh the page, its logout and the link shows. enter image description here

Any help would be appreciated. Thanks.

Edited Based on the member suggestion I tried the following

'If Request.Form.Count > 0 Then(Another Way)

 If Request.ServerVariables("REQUEST_METHOD") = "POST" Then
      if Session("LoginID")="invaliduser" or Session("LoginID")="" Then                         
          qcVisible = "none"  
      else                          
          qcVisible = "block"     
      end if
 End If
user692942
  • 16,398
  • 7
  • 76
  • 175
Dev
  • 39
  • 4
  • I dont see differences between the two pictures?? – Yunfei Chen Nov 30 '20 at 01:35
  • @YunfeiChen The "Products" link in the header. – Dev Nov 30 '20 at 01:38
  • Are you sure you are saving your values inside of Session("LoginID").... Because I keep getting the value of that variable is "" from this code... – Yunfei Chen Nov 30 '20 at 03:35
  • @YunfeiChen I have tried as you suggested but fail to solve the issue. – Dev Nov 30 '20 at 03:40
  • did you store the Session("LoginID") anywhere?? – Yunfei Chen Nov 30 '20 at 03:42
  • "If trim(muser)= trim(mpass) Then Login=True Session("LoginID")=LoginID Session("Password")=Password" My guess is that the above code is never ran?? can you verify if that is true?? – Yunfei Chen Nov 30 '20 at 03:44
  • put that code in your header.asp...... :) – Yunfei Chen Nov 30 '20 at 03:45
  • @YunfeiChen I checked, the code ran good. I believe it fail to reflect the session value in the header page. – Dev Nov 30 '20 at 03:55
  • you didn't by any chance forget to include the header page in your login file did you?? – Yunfei Chen Nov 30 '20 at 03:58
  • @YunfeiChen I did in the Mylogin.asp page. Please refer the code section in the above posted question. – Dev Nov 30 '20 at 05:13
  • but you never included Mylogin.asp page in your login.asp page, so how would it know the var?? – Yunfei Chen Nov 30 '20 at 05:48
  • Not sure why you included JavaScript, JQuery and AJAX tags as none of them are relevant to the source code you have posted. Added the VBScript tag as that is what you appear to be using with Classic ASP. Also, your approach to a login page is flawed. In modern web application development you should not be storing clear text passwords at a minimum it should be a hashed salted string persisted in a database not just stored in the servers memory. – user692942 Nov 30 '20 at 08:26
  • This line is strange `Login(Request.Form("LoginID"),Request.Form("PWD"))` as it should error with "Cannot use parentheses when calling a sub" it should be either `Call Login(Request.Form("LoginID"),Request.Form("PWD"))` or `Login Request.Form("LoginID"),Request.Form("PWD")`. – user692942 Nov 30 '20 at 08:29
  • Also, what’s the point of ``? – user692942 Nov 30 '20 at 08:32
  • @Lankymart Agree. The reason behind include those tags were to get the session value in different ways. I'll avoid it in future. – Dev Nov 30 '20 at 10:40
  • @Lankymart You were correct. I just posted piece of related code to understand the issue. – Dev Nov 30 '20 at 10:43
  • @Lankymart just to give the flow of the process to the contributor. – Dev Nov 30 '20 at 10:46
  • @Lankymart Would you please guide me in this issue. Have a look at the code part under the edit part of my question.`If Request.ServerVariables("REQUEST_METHOD") = "POST"` What I'm missing? – Dev Nov 30 '20 at 10:50
  • @Dev "" Is that a comment?? – Yunfei Chen Nov 30 '20 at 18:49
  • @YunfeiChen guess you don’t know much about Classic ASP or IIS. That is known as a SSI (Server Side Include) it adds the contents of the include file server side to the page before preprocessing. – user692942 Nov 30 '20 at 22:49
  • I am not able to reproduce your code at this moment but from what i saw i would try to verify if "*Session("LoginID") is Nothing*" too – Windson Mateus Nov 30 '20 at 02:30
  • loginid is the User ID(refer the Image) field. All I have to do is to show "Products" links to the member of this application after they login. – Dev Nov 30 '20 at 03:27

2 Answers2

0

There are a couple things wrong with your approach:

  1. Session("LoginID") should either have no value (logged out) or a value (logged in).

  2. You are tasking the clientside of hiding the link which can be defeated by looking in the browser's DevTools or source code.

To solve these issues:

#1: Only set Session("LoginID") when a log in is successful.

#2: Your Product-check should look like this to only generate the HTML if the user is logged in (remeber that the session should ONLY have a value if logged in):

   <% If Session("LoginID") <> "" Then %><li><a href="Products.asp" style="display:<%=qcVisible%>;">Products</a></li><% End If %>
LiveLongAndProsper
  • 359
  • 1
  • 7
-2

in your code you set the visible to none if the loginID is empty string when you first load the page what do you think it is??:

if Session("LoginID")="invaliduser" or Session("LoginID")="" Then                 
     qcVisible = "none"

Then later on you go:

<li><a href="Products.asp" style="display:<%=qcVisible%>;">Products</a></li>

it is equilvalent to going:

<li><a href="Products.asp" style="display:none;">Products</a></li>

Before you actually refresh the page or login....

Instead you might want to try:

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
     //Do your styles in here
}else{
qcVisible = "block";
}

Usually when you load a webpage a GET request is sent, and if you refresh it or click submit the request you specified on your form will be sent in your case POST, so when the user did not enter anything you want to display product hence it will be in the else statement..... Otherwise you want to check if it is valid or not... :)

Yunfei Chen
  • 630
  • 1
  • 8
  • 20
  • 1. qcVisible is a variable used as a value to the "display" property based on the condition. 2. The first image portrays default home page, The second image is after I login with the correct credentials it goes to the respective page but the "Products" link failed to display in the header section, once I refresh the page it logs out and the the link shows up. – Dev Nov 30 '20 at 02:05
  • One thing I dont understand, why do you link the page to itself even after you login successfully?? It should link to a new page no?? – Yunfei Chen Nov 30 '20 at 02:20
  • @Yunchi Chen it is a new page but I embed in the same frame. – Dev Nov 30 '20 at 03:29
  • @Yunchi ChenI tried the following but fail to pass the condition `If Request.ServerVariables("REQUEST_METHOD") = "POST" Then` and `If Request.Form.Count > 0 Then` – Dev Nov 30 '20 at 03:37
  • What’s with the PHP code in an answer to a Classic ASP question? – user692942 Nov 30 '20 at 08:14
  • @Lankymart https://stackoverflow.com/questions/10674933/how-to-check-form-submission-asp-classic – Dev Nov 30 '20 at 10:52
  • @Dev I realise what it is, just don’t see the point of it in an answer to an Classic ASP / VBScript question. It just adds confusion to others looking at the question. What’s stopping me just posting c# equivalent code? Would it help?, absolutely not. – user692942 Nov 30 '20 at 11:06