sessions & recordsets

Shopping Cart Issue
Hi,
Have a question regarding Sessions and Recordsets. I’m attempting to
do what I would term as a single sign on between a membership site and a shopping cart system. Both are vbscript and on the same remote server. Here is the challenge:


The user logs into the member site using a user ID and password.
When you do a session lookup there are virtually no sessions. When you point to the shopping cart system (which has it’s own login) you see “user not logged in”. The business client does not want the member to log in twice.
If I were to add near the connection string:
        Session (“userID”) =”1323”
        Session (“firstname”) = “David”
        Session (“lastname”) = “Smith”


And then re-run the login process, when you point to the shopping cart system you would see David Smith and it would show  “log out”. Which is good…..However I need this to do this dynamically so the static session info does not exactly help me moving forward.
My guess is that somehow when the user logs in I have to grab the SELECT statement that occurs (basically a recordset of firstname & lastname) and place it into it’s own session so that it will work on a dynamic basis. This looks to be a bit over my knowledge level so I’m reaching out ;)



There is a lot of code here so if you want to look at it, please be specific as to what you are looking for and I will post it.


Any help appreciated! Thanks!

So if the user logs in, there is no session? I think that's a problem within itself be tackled first

Not exactly, the session is there, but only if you manually code it in there. What I'm trying to do is make sure I can do this dynamically. For instance, you log in to the main portion of the site, and your name and credentials are added to the session so when you navigate over to the ecommerce portion (which is a different page on the same site) you then do NOT have to login there as well because it already reads your session info from the previous login. Currently it will let you into the main page but when you navigate over to the commerce portion, it makes you re-login again. Obviously the client doesn't want this nor would I. Single sign on would be the objective here. Any ideas on how to make it dynamic in the code?

Thanks for replying!

also how are you verifying a user is valid?
 
i wouldnt recommend storing the user id and full name in session variable as your main check to see if the user is logged is as it isnt very secure. I would use a combination of the users IP, sessionID and user id and stored some kind of hashed value in a session variable to do the actual check.
 
Can you post the bit of code where you want the dynamic user details to be stored to a session variable?

are they both under the same domain name too?

Generally the practice I follow is that when the user logs in and they are valid, I store the current time in milliseconds on the client, which works as a sessionID. When they get to another page during the same session I can check that number and match it up again. Once they leave the domain, the sessionID is effectively useless.

yes that seems ok but still doesnt check for certain session spoofing attempts does it?

They are verifying the user via SQL lookup in a user table. The trick here is that the ecommerce portion is a bolt on called VpASP and it can't use the same
SQL table since there are conflicting table names. Not sure if that in of itself it a major but when I manually did the session variable it seemed to work. or so it seemed...;0

I tend to agree that this is not the best way to do verification and I told the client this is better left to those who really have a better understanding of this sort of thing
but I have not heard back from them for a few weeks now and I need to see what they want to do.

I will try and post some code tonight for you. I'm at work and was surprised when I checked my email that you all responded since I posted this last month ;)
Thanks again!!! Will follow up with code .

Nothing is foolproof, these are REST based applications. You could try shortening the lifespan of the session. Generally speaking though if  a user's network address or User-Agent headers vary from request to request, that user should lose access to their session state.

XSS attacks are another issue altogether and a the fault of  your web page design. (using 3rd party content, not using parameterized queries on your SQL input and not cleaning out HTML content in forms).

You could also use a form of encryption on some client information you gain from the Request variables and store that in the client as well, but then there is the problem with a smart user baking his own cookies so to speak.

The code as promised:(not sure exactly which part you want but here is some of the code): (This is the beginning login to the site. Note the userID as the login name but its not the bolt- on VPASP ecomm portion)

<!--#include virtual="/inc/conn.asp" -->
' *******************************************
' The conn.asp file simply makes the call to the database
'********************************************
<%
'     **********************************************
'     *  This version of the login page uses UserID instead of email for authentication
'     *  Date: 9/21/2004   
'     **********************************************
%>
<% Dim ReferringPage
if instr(request.ServerVariables("HTTP_REFERER"), "loginError.asp") <> 0 then
ReferringPage = "http://xxxxxxxxxxxxxxxOmitted.com"
else 'if instr(request.ServerVariables("HTTP_REFERER"), "LoginError.asp") <> 0 then
if session("Page") <> "" then
ReferringPage = session("Page")
session("Page") = ""
else 'if session("Page") <> "" then
if request.ServerVariables("HTTP_REFERER") <> "" then
ReferringPage = request.ServerVariables("HTTP_REFERER")
else 'if request.ServerVariables("HTTP_REFERER") <> "" then
ReferringPage = "http://xxxxxxxxxxxxxxxOmitted.com/index.asp"
end if 'if request.ServerVariables("HTTP_REFERER") <> "" then
end if 'if request("ReferringPage") <> "" then
end if 'if instr(request.ServerVariables("HTTP_REFERER"), "LoginError.asp") <> 0 then
if request("login") <> "" then
if IsNumeric(request("UserID")) = False OR len(request("UserID")) > 9 then
Call NonNumericLogin()
response.Redirect("LoginError.asp?Erro=1")
End if 'if IsNumeric(request("UserID")) = False then

'     **********************************************
'     *  Check to see whether record exists in the database
'     **********************************************
set rs = server.createobject("adodb.recordset")
rs.CursorLocation=2
rs.CursorType=0
rs.LockType=1
rs.open "SELECT UserID,EmailLogin,Password,UserStatusID,AdminToolsAccess,FirstName,LastName,RenewalType,RenewalAnniversary,BoardMember FROM vw_Security WHERE UserID='"&fixSQL(request("UserID"))&"' AND Password='"&fixSQL(request("Password"))&"'",conn
DIM UserStatus, Erro, AdminToolsAccessAccess
if not rs.eof then
'     **********************************************
'     *  Check to see if user is active
'     **********************************************



UserStatus = rs("UserStatusID")
if UserStatus = 2 then
Call ValidLogin_Expired()
response.Cookies("UserID") = request("UserID")
response.Cookies("Login") = "expired"
response.Cookies("Login").Expires = Date() + 1
response.Redirect("../xxxxxxxxxxxxxxxOmitted.com/overview.asp")
end if



if UserStatus = 1 OR UserStatus=5 then
'if rs("RenewalType") = "Standard" then
'     **********************************************
'     *  See if user's renewal date is current
'     **********************************************
if int(DateDiff("d", FormatDateTime(Now(),vbShortDate), FormatDateTime(rs("RenewalAnniversary"),vbShortDate))) < int(0) then
response.Cookies("UserID") = rs("UserID")
tempID = rs("UserID")
response.Cookies("Renewal") = FormatDateTime(rs("RenewalAnniversary"),vbShortDate)
Call ValidLogin_Expired()
response.Redirect("LoginError.asp?Erro=3&UserID=" & tempID)
'else ' if rs("RenewalAnniversary") < FormatDateTime(Now(),vbShortDate)&" 12:00:00 AM" then
'     **********************************************
'     *  See if user's renewal date is less than 45 days away
'     **********************************************
if DateDiff("d", FormatDateTime(Now(),vbShortDate), FormatDateTime(rs("RenewalAnniversary"),vbShortDate)) < 45 then
response.Cookies("UserRenew") = "Yes"
else 'if DateDiff("d", rs("RenewalAnniversary"), FormatDateTime(Now(),vbShortDate)&" 12:00:00 AM") < 45 then
response.Cookies("UserRenew") = ""
end if  'if DateDiff("d", rs("RenewalAnniversary"), FormatDateTime(Now(),vbShortDate)&" 12:00:00 AM") < 45 then
end if ' if rs("RenewalAnniversary") < FormatDateTime(Now(),vbShortDate)&" 12:00:00 AM" then
'end if 'if rs("RenewalType") = "Standard" then

response.Cookies("Login") = 1
response.Cookies("Login").Expires = Date() + 1
response.Cookies("UserID") = rs("UserID")
response.Cookies("UserID").Expires = Date() + 1
response.Cookies("AdminToolsAccess") = rs("AdminToolsAccess")
response.Cookies("AdminToolsAccess").Expires = Date() + 1
response.Cookies("BoardMember") = rs("BoardMember")
response.Cookies("BoardMember").Expires = Date() + 1
response.Cookies("FullName") = rs("FirstName") & "&nbsp;" & rs("LastName")
response.Cookies("FullName").Expires = Date() + 1
response.Cookies("UserStatus") = UserStatus
response.Cookies("UserStatus").Expires = Date() + 1
if rs("RenewalType") = "Standard" then
response.Cookies("Renewal") = rs("RenewalAnniversary")
response.Cookies("Renewal").Expires = Date() + 1
end if

Validation code below this is ommitted since it's not the subject for discussion. If you want it posted however, let me know.

Hope this helps and thank you for reviewing!

Do you all have some examples or links of really good (hopefully simple) SQL based login scripts you like to use? That could be helpful as well.

Thanks!

You could browse through the 4guysfromrolla website for some decent articles. 

Yes, great site, I have used them in the past, Thanks for the reminder! ;)