IE6 problems

[Graham Campbell]

I have a login script to a website where a user logs in through a
standard webform with a username and password that needs to be
validated. My problem is that IE6 doesn't seem to pick up on valid
username/password combinations and instead of forwarding the user to the
next page dumps them back at the login page.

My verification script is below:

<%
Response.CacheControl = "no-cache"
Response.AddHeader "Pragma", "no-cache"
Response.Expires = -1

user = trim(Request.form("username"))
password = trim(Request.form("password"))

if user = "" or password = "" then
Response.Write "please enter username and password"
else
ConnString = "Provider=Microsoft.Jet.OLEDB.4.0; Mode=ReadWrite;
Persist Security Info=True; Data Source=" &

Server.MapPath("member.mdb")

set my_conn= Server.CreateObject("ADODB.Connection")
set rs = server.CreateObject("ADODB.RecordSet")
my_conn.Open ConnString

rs.open "Select * from member where Name ='" & user & "' and
Password='" & password & "'", my_conn
if rs.eof then
Response.Write("Invalid Username/Password")'redirect invalid_page
'invalid password and redirect to login page
else
session("login") = "yes"
session("name") = rs("name")
'session("...") = rs("...")
' add session ..if you want to keep profile of your user.

Response.redirect valid_login

end if

rs.Close
my_conn.close
set my_conn = nothing
end if
%>

This all works fine in other browsers such as Firebird and Opera, even
earlier versions of IE work fine but I can't figure out whats wrong. I
would be most greatful for any assistance.

I'm rather new to ASP, so if my problem is glaringly obvious please
don't beat down on me too hard ;)

Regards
Graham

--
"This is my country, the land that begat me. These windy spaces, are
surely my own."
- Alexander Gray

[Curt_C [MVP]]

where is "valid_login" defined?

--
----------------------------------------------------------
Curt Christianson (Software_AT_Darkfalz.Com)
Owner/Lead Designer, DF-Software
[url]http://www.Darkfalz.com[/url]
---------------------------------------------------------
...Offering free scripts & code snippits for everyone...
---------------------------------------------------------


"Graham Campbell" <gjcampbe@cis.strath.ac.uk> wrote in message
news:3F5B7C1B.9040301@cis.strath.ac.uk...

> I have a login script to a website where a user logs in through a
> standard webform with a username and password that needs to be
> validated. My problem is that IE6 doesn't seem to pick up on valid
> username/password combinations and instead of forwarding the user to the
> next page dumps them back at the login page.
>
> My verification script is below:
>
> <%
> Response.CacheControl = "no-cache"
> Response.AddHeader "Pragma", "no-cache"
> Response.Expires = -1
>
> user = trim(Request.form("username"))
> password = trim(Request.form("password"))
>
> if user = "" or password = "" then
> Response.Write "please enter username and password"
> else
> ConnString = "Provider=Microsoft.Jet.OLEDB.4.0; Mode=ReadWrite;
> Persist Security Info=True; Data Source=" &
>
> Server.MapPath("member.mdb")
>
> set my_conn= Server.CreateObject("ADODB.Connection")
> set rs = server.CreateObject("ADODB.RecordSet")
> my_conn.Open ConnString
>
> rs.open "Select * from member where Name ='" & user & "' and
> Password='" & password & "'", my_conn
> if rs.eof then
> Response.Write("Invalid Username/Password")'redirect invalid_page
> 'invalid password and redirect to login page
> else
> session("login") = "yes"
> session("name") = rs("name")
> 'session("...") = rs("...")
> ' add session ..if you want to keep profile of your user.
>
> Response.redirect valid_login
>
> end if
>
> rs.Close
> my_conn.close
> set my_conn = nothing
> end if
> %>
>
> This all works fine in other browsers such as Firebird and Opera, even
> earlier versions of IE work fine but I can't figure out whats wrong. I
> would be most greatful for any assistance.
>
> I'm rather new to ASP, so if my problem is glaringly obvious please
> don't beat down on me too hard ;)
>
> Regards
> Graham
>
> --
> "This is my country, the land that begat me. These windy spaces, are
> surely my own."
> - Alexander Gray
>

[Karim Dahdah]

Ouch,
I had found this one too some time ago. And the strange is that on my IE6
everything works fine,
but at a visitor's IE6 (with the same build) he couldn't log in.

Sessions are cookies. So, see in your cookies folder if they are made by the
browser. If it does, then
I don't know (sorry). If they aren't made, then have a look at the security
settings of IE6.
Another thing you can read about is P3P.

Good luck!

Karim





"Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
news:%23ugl5oYdDHA.4020@tk2msftngp13.phx.gbl...

> where is "valid_login" defined?
>
> --
> ----------------------------------------------------------
> Curt Christianson (Software_AT_Darkfalz.Com)
> Owner/Lead Designer, DF-Software
> [url]http://www.Darkfalz.com[/url]
> ---------------------------------------------------------
> ..Offering free scripts & code snippits for everyone...
> ---------------------------------------------------------
>
>
> "Graham Campbell" <gjcampbe@cis.strath.ac.uk> wrote in message
> news:3F5B7C1B.9040301@cis.strath.ac.uk...

> > I have a login script to a website where a user logs in through a
> > standard webform with a username and password that needs to be
> > validated. My problem is that IE6 doesn't seem to pick up on valid
> > username/password combinations and instead of forwarding the user to the
> > next page dumps them back at the login page.
> >
> > My verification script is below:
> >
> > <%
> > Response.CacheControl = "no-cache"
> > Response.AddHeader "Pragma", "no-cache"
> > Response.Expires = -1
> >
> > user = trim(Request.form("username"))
> > password = trim(Request.form("password"))
> >
> > if user = "" or password = "" then
> > Response.Write "please enter username and password"
> > else
> > ConnString = "Provider=Microsoft.Jet.OLEDB.4.0; Mode=ReadWrite;
> > Persist Security Info=True; Data Source=" &
> >
> > Server.MapPath("member.mdb")
> >
> > set my_conn= Server.CreateObject("ADODB.Connection")
> > set rs = server.CreateObject("ADODB.RecordSet")
> > my_conn.Open ConnString
> >
> > rs.open "Select * from member where Name ='" & user & "' and
> > Password='" & password & "'", my_conn
> > if rs.eof then
> > Response.Write("Invalid Username/Password")'redirect invalid_page
> > 'invalid password and redirect to login page
> > else
> > session("login") = "yes"
> > session("name") = rs("name")
> > 'session("...") = rs("...")
> > ' add session ..if you want to keep profile of your user.
> >
> > Response.redirect valid_login
> >
> > end if
> >
> > rs.Close
> > my_conn.close
> > set my_conn = nothing
> > end if
> > %>
> >
> > This all works fine in other browsers such as Firebird and Opera, even
> > earlier versions of IE work fine but I can't figure out whats wrong. I
> > would be most greatful for any assistance.
> >
> > I'm rather new to ASP, so if my problem is glaringly obvious please
> > don't beat down on me too hard ;)
> >
> > Regards
> > Graham
> >
> > --
> > "This is my country, the land that begat me. These windy spaces, are
> > surely my own."
> > - Alexander Gray
> >

>
>

[Graham Campbell]

it's defined in an include file that i negelected to show in my original
post :(

i'm fairly certain that's not what's causing the problem here but any
suggestions would be most welcome :D

Graham

Curt_C [MVP] wrote:

> where is "valid_login" defined?
>

--
"This is my country, the land that begat me. These windy spaces, are
surely my own."
- Alexander Gray

[TomB]

Are you using your Session to determine if someone is logged in or not?


Also, try putting your Select statement into a variable, and displaying
it.....

Dim sSQL
sSQL="Select * From Memeber Where Name='" & user & "'" AND Password='" &
password & "'"

Response.write sSQL
Response.flush


What would happen if a user put in

' or 'x' = 'x

for the username and the password?

You'd have a statement like.....
rs.open "Select * from member where Name='' or 'x'='x' and Password='' or
'x'='x'", my_conn



"Graham Campbell" <gjcampbe@cis.strath.ac.uk> wrote in message
news:3F5B7C1B.9040301@cis.strath.ac.uk...

> I have a login script to a website where a user logs in through a
> standard webform with a username and password that needs to be
> validated. My problem is that IE6 doesn't seem to pick up on valid
> username/password combinations and instead of forwarding the user to the
> next page dumps them back at the login page.
>
> My verification script is below:
>
> <%
> Response.CacheControl = "no-cache"
> Response.AddHeader "Pragma", "no-cache"
> Response.Expires = -1
>
> user = trim(Request.form("username"))
> password = trim(Request.form("password"))
>
> if user = "" or password = "" then
> Response.Write "please enter username and password"
> else
> ConnString = "Provider=Microsoft.Jet.OLEDB.4.0; Mode=ReadWrite;
> Persist Security Info=True; Data Source=" &
>
> Server.MapPath("member.mdb")
>
> set my_conn= Server.CreateObject("ADODB.Connection")
> set rs = server.CreateObject("ADODB.RecordSet")
> my_conn.Open ConnString
>
> rs.open "Select * from member where Name ='" & user & "' and
> Password='" & password & "'", my_conn
> if rs.eof then
> Response.Write("Invalid Username/Password")'redirect invalid_page
> 'invalid password and redirect to login page
> else
> session("login") = "yes"
> session("name") = rs("name")
> 'session("...") = rs("...")
> ' add session ..if you want to keep profile of your user.
>
> Response.redirect valid_login
>
> end if
>
> rs.Close
> my_conn.close
> set my_conn = nothing
> end if
> %>
>
> This all works fine in other browsers such as Firebird and Opera, even
> earlier versions of IE work fine but I can't figure out whats wrong. I
> would be most greatful for any assistance.
>
> I'm rather new to ASP, so if my problem is glaringly obvious please
> don't beat down on me too hard ;)
>
> Regards
> Graham
>
> --
> "This is my country, the land that begat me. These windy spaces, are
> surely my own."
> - Alexander Gray
>

[TomB]

I assume you mean the 'x thing.
There's a good website about that (SQL Injection attack) but I can't
remember where it was right now.

Anyway, did you get your script working?

"Graham Campbell" <gjcampbe@cis.strath.ac.uk> wrote in message
news:3F5CDE28.2020802@cis.strath.ac.uk...

> wow thanks. never even considered that!
>
> :D
>
> Graham
>
> TomB wrote:

> > Are you using your Session to determine if someone is logged in or not?
> >
> >
> > Also, try putting your Select statement into a variable, and displaying
> > it.....
> >
> > Dim sSQL
> > sSQL="Select * From Memeber Where Name='" & user & "'" AND Password='" &
> > password & "'"
> >
> > Response.write sSQL
> > Response.flush
> >
> >
> > What would happen if a user put in
> >
> > ' or 'x' = 'x
> >
> > for the username and the password?
> >
> > You'd have a statement like.....
> > rs.open "Select * from member where Name='' or 'x'='x' and Password=''

or

> > 'x'='x'", my_conn
> >
> >
> >
> > "Graham Campbell" <gjcampbe@cis.strath.ac.uk> wrote in message
> > news:3F5B7C1B.9040301@cis.strath.ac.uk...
> >

> >>I have a login script to a website where a user logs in through a
> >>standard webform with a username and password that needs to be
> >>validated. My problem is that IE6 doesn't seem to pick up on valid
> >>username/password combinations and instead of forwarding the user to the
> >>next page dumps them back at the login page.
> >>
> >>My verification script is below:
> >>
> >><%
> >>Response.CacheControl = "no-cache"
> >>Response.AddHeader "Pragma", "no-cache"
> >>Response.Expires = -1
> >>
> >>user = trim(Request.form("username"))
> >>password = trim(Request.form("password"))
> >>
> >>if user = "" or password = "" then
> >> Response.Write "please enter username and password"
> >>else
> >> ConnString = "Provider=Microsoft.Jet.OLEDB.4.0; Mode=ReadWrite;
> >>Persist Security Info=True; Data Source=" &
> >>
> >>Server.MapPath("member.mdb")
> >>
> >> set my_conn= Server.CreateObject("ADODB.Connection")
> >> set rs = server.CreateObject("ADODB.RecordSet")
> >> my_conn.Open ConnString
> >>
> >> rs.open "Select * from member where Name ='" & user & "' and
> >>Password='" & password & "'", my_conn
> >> if rs.eof then
> >> Response.Write("Invalid Username/Password")'redirect invalid_page
> >> 'invalid password and redirect to login page
> >> else
> >> session("login") = "yes"
> >> session("name") = rs("name")
> >> 'session("...") = rs("...")
> >> ' add session ..if you want to keep profile of your user.
> >>
> >> Response.redirect valid_login
> >>
> >> end if
> >>
> >> rs.Close
> >> my_conn.close
> >> set my_conn = nothing
> >>end if
> >>%>
> >>
> >>This all works fine in other browsers such as Firebird and Opera, even
> >>earlier versions of IE work fine but I can't figure out whats wrong. I
> >>would be most greatful for any assistance.
> >>
> >>I'm rather new to ASP, so if my problem is glaringly obvious please
> >>don't beat down on me too hard ;)
> >>
> >>Regards
> >>Graham
> >>
> >>--
> >>"This is my country, the land that begat me. These windy spaces, are
> >>surely my own."
> >>- Alexander Gray
> >>

> >
> >
> >

>
>
> --
> "This is my country, the land that begat me. These windy spaces, are
> surely my own."
> - Alexander Gray
>

[Graham Campbell]

wow thanks. never even considered that!

:D

Graham

TomB wrote:

> Are you using your Session to determine if someone is logged in or not?
>
>
> Also, try putting your Select statement into a variable, and displaying
> it.....
>
> Dim sSQL
> sSQL="Select * From Memeber Where Name='" & user & "'" AND Password='" &
> password & "'"
>
> Response.write sSQL
> Response.flush
>
>
> What would happen if a user put in
>
> ' or 'x' = 'x
>
> for the username and the password?
>
> You'd have a statement like.....
> rs.open "Select * from member where Name='' or 'x'='x' and Password='' or
> 'x'='x'", my_conn
>
>
>
> "Graham Campbell" <gjcampbe@cis.strath.ac.uk> wrote in message
> news:3F5B7C1B.9040301@cis.strath.ac.uk...
>

>>I have a login script to a website where a user logs in through a
>>standard webform with a username and password that needs to be
>>validated. My problem is that IE6 doesn't seem to pick up on valid
>>username/password combinations and instead of forwarding the user to the
>>next page dumps them back at the login page.
>>
>>My verification script is below:
>>
>><%
>>Response.CacheControl = "no-cache"
>>Response.AddHeader "Pragma", "no-cache"
>>Response.Expires = -1
>>
>>user = trim(Request.form("username"))
>>password = trim(Request.form("password"))
>>
>>if user = "" or password = "" then
>> Response.Write "please enter username and password"
>>else
>> ConnString = "Provider=Microsoft.Jet.OLEDB.4.0; Mode=ReadWrite;
>>Persist Security Info=True; Data Source=" &
>>
>>Server.MapPath("member.mdb")
>>
>> set my_conn= Server.CreateObject("ADODB.Connection")
>> set rs = server.CreateObject("ADODB.RecordSet")
>> my_conn.Open ConnString
>>
>> rs.open "Select * from member where Name ='" & user & "' and
>>Password='" & password & "'", my_conn
>> if rs.eof then
>> Response.Write("Invalid Username/Password")'redirect invalid_page
>> 'invalid password and redirect to login page
>> else
>> session("login") = "yes"
>> session("name") = rs("name")
>> 'session("...") = rs("...")
>> ' add session ..if you want to keep profile of your user.
>>
>> Response.redirect valid_login
>>
>> end if
>>
>> rs.Close
>> my_conn.close
>> set my_conn = nothing
>>end if
>>%>
>>
>>This all works fine in other browsers such as Firebird and Opera, even
>>earlier versions of IE work fine but I can't figure out whats wrong. I
>>would be most greatful for any assistance.
>>
>>I'm rather new to ASP, so if my problem is glaringly obvious please
>>don't beat down on me too hard ;)
>>
>>Regards
>>Graham
>>
>>--
>>"This is my country, the land that begat me. These windy spaces, are
>>surely my own."
>>- Alexander Gray
>>

>
>
>

--
"This is my country, the land that begat me. These windy spaces, are
surely my own."
- Alexander Gray

[Graham Campbell]

Karim, you da man. Didn't even think to check the security settings.
Should have known better!

Thanks man!

Graham

Karim Dahdah wrote:

> Ouch,
> I had found this one too some time ago. And the strange is that on my IE6
> everything works fine,
> but at a visitor's IE6 (with the same build) he couldn't log in.
>
> Sessions are cookies. So, see in your cookies folder if they are made by the
> browser. If it does, then
> I don't know (sorry). If they aren't made, then have a look at the security
> settings of IE6.
> Another thing you can read about is P3P.
>
> Good luck!
>
> Karim
>
>
>
>
>
> "Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
> news:%23ugl5oYdDHA.4020@tk2msftngp13.phx.gbl...
>

>>where is "valid_login" defined?
>>
>>--
>>----------------------------------------------------------
>>Curt Christianson (Software_AT_Darkfalz.Com)
>>Owner/Lead Designer, DF-Software
>>[url]http://www.Darkfalz.com[/url]
>>---------------------------------------------------------
>>..Offering free scripts & code snippits for everyone...
>>---------------------------------------------------------
>>
>>
>>"Graham Campbell" <gjcampbe@cis.strath.ac.uk> wrote in message
>>news:3F5B7C1B.9040301@cis.strath.ac.uk...
>>

>>>I have a login script to a website where a user logs in through a
>>>standard webform with a username and password that needs to be
>>>validated. My problem is that IE6 doesn't seem to pick up on valid
>>>username/password combinations and instead of forwarding the user to the
>>>next page dumps them back at the login page.
>>>
>>>My verification script is below:
>>>
>>><%
>>>Response.CacheControl = "no-cache"
>>>Response.AddHeader "Pragma", "no-cache"
>>>Response.Expires = -1
>>>
>>>user = trim(Request.form("username"))
>>>password = trim(Request.form("password"))
>>>
>>>if user = "" or password = "" then
>>> Response.Write "please enter username and password"
>>>else
>>> ConnString = "Provider=Microsoft.Jet.OLEDB.4.0; Mode=ReadWrite;
>>>Persist Security Info=True; Data Source=" &
>>>
>>>Server.MapPath("member.mdb")
>>>
>>> set my_conn= Server.CreateObject("ADODB.Connection")
>>> set rs = server.CreateObject("ADODB.RecordSet")
>>> my_conn.Open ConnString
>>>
>>> rs.open "Select * from member where Name ='" & user & "' and
>>>Password='" & password & "'", my_conn
>>> if rs.eof then
>>> Response.Write("Invalid Username/Password")'redirect invalid_page
>>> 'invalid password and redirect to login page
>>> else
>>> session("login") = "yes"
>>> session("name") = rs("name")
>>> 'session("...") = rs("...")
>>> ' add session ..if you want to keep profile of your user.
>>>
>>> Response.redirect valid_login
>>>
>>> end if
>>>
>>> rs.Close
>>> my_conn.close
>>> set my_conn = nothing
>>>end if
>>>%>
>>>
>>>This all works fine in other browsers such as Firebird and Opera, even
>>>earlier versions of IE work fine but I can't figure out whats wrong. I
>>>would be most greatful for any assistance.
>>>
>>>I'm rather new to ASP, so if my problem is glaringly obvious please
>>>don't beat down on me too hard ;)
>>>
>>>Regards
>>>Graham
>>>
>>>--
>>>"This is my country, the land that begat me. These windy spaces, are
>>>surely my own."
>>>- Alexander Gray
>>>

>>
>>

>
>

--
"This is my country, the land that begat me. These windy spaces, are
surely my own."
- Alexander Gray

[TomB]

Here it is......
[url]www.sqlsecurity.com/DesktopDefault.aspx?tabindex=2&tabid=3[/url]

"Graham Campbell" <gjcampbe@cis.strath.ac.uk> wrote in message
news:3F5CDE28.2020802@cis.strath.ac.uk...

> wow thanks. never even considered that!
>
> :D
>
> Graham
>
> TomB wrote:

> > Are you using your Session to determine if someone is logged in or not?
> >
> >
> > Also, try putting your Select statement into a variable, and displaying
> > it.....
> >
> > Dim sSQL
> > sSQL="Select * From Memeber Where Name='" & user & "'" AND Password='" &
> > password & "'"
> >
> > Response.write sSQL
> > Response.flush
> >
> >
> > What would happen if a user put in
> >
> > ' or 'x' = 'x
> >
> > for the username and the password?
> >
> > You'd have a statement like.....
> > rs.open "Select * from member where Name='' or 'x'='x' and Password=''

or

> > 'x'='x'", my_conn
> >
> >
> >
> > "Graham Campbell" <gjcampbe@cis.strath.ac.uk> wrote in message
> > news:3F5B7C1B.9040301@cis.strath.ac.uk...
> >

> >>I have a login script to a website where a user logs in through a
> >>standard webform with a username and password that needs to be
> >>validated. My problem is that IE6 doesn't seem to pick up on valid
> >>username/password combinations and instead of forwarding the user to the
> >>next page dumps them back at the login page.
> >>
> >>My verification script is below:
> >>
> >><%
> >>Response.CacheControl = "no-cache"
> >>Response.AddHeader "Pragma", "no-cache"
> >>Response.Expires = -1
> >>
> >>user = trim(Request.form("username"))
> >>password = trim(Request.form("password"))
> >>
> >>if user = "" or password = "" then
> >> Response.Write "please enter username and password"
> >>else
> >> ConnString = "Provider=Microsoft.Jet.OLEDB.4.0; Mode=ReadWrite;
> >>Persist Security Info=True; Data Source=" &
> >>
> >>Server.MapPath("member.mdb")
> >>
> >> set my_conn= Server.CreateObject("ADODB.Connection")
> >> set rs = server.CreateObject("ADODB.RecordSet")
> >> my_conn.Open ConnString
> >>
> >> rs.open "Select * from member where Name ='" & user & "' and
> >>Password='" & password & "'", my_conn
> >> if rs.eof then
> >> Response.Write("Invalid Username/Password")'redirect invalid_page
> >> 'invalid password and redirect to login page
> >> else
> >> session("login") = "yes"
> >> session("name") = rs("name")
> >> 'session("...") = rs("...")
> >> ' add session ..if you want to keep profile of your user.
> >>
> >> Response.redirect valid_login
> >>
> >> end if
> >>
> >> rs.Close
> >> my_conn.close
> >> set my_conn = nothing
> >>end if
> >>%>
> >>
> >>This all works fine in other browsers such as Firebird and Opera, even
> >>earlier versions of IE work fine but I can't figure out whats wrong. I
> >>would be most greatful for any assistance.
> >>
> >>I'm rather new to ASP, so if my problem is glaringly obvious please
> >>don't beat down on me too hard ;)
> >>
> >>Regards
> >>Graham
> >>
> >>--
> >>"This is my country, the land that begat me. These windy spaces, are
> >>surely my own."
> >>- Alexander Gray
> >>

> >
> >
> >

>
>
> --
> "This is my country, the land that begat me. These windy spaces, are
> surely my own."
> - Alexander Gray
>

[Graham Campbell]

TomB wrote:

> I assume you mean the 'x thing.
> There's a good website about that (SQL Injection attack) but I can't
> remember where it was right now.
>
> Anyway, did you get your script working?

Yeah, I got that part working at least lol. Thanks for the great help.

I'm working on a few pieces here and there for this same organisation.
Next on the list is working out how to parse thru a HTML template file
so that I know where to put some user input text! :S

I'm aware of the power that Perl's regex can provide here but not sure I
want to go down the route. Any suggestions?

Graham


--
"This is my country, the land that begat me. These windy spaces, are
surely my own."
- Alexander Gray