Session Variable

The Mighty Dubs

Hi,

Im using Dreamweaver and Asp. I have a login page which works fine. The login calls a table called tblIELogin and looks up the username and password and then passes you through to the home page if they are correct. I want to be able to call over another field (entryid) as a session variable. how do i do this. see below the code from the login page.

**************

<%@LANGUAGE=&quot;VBSCRIPT" CODEPAGE="1252"%>
<!--#include file="../../Connections/123.asp" -->
<%

' *** Validate request to log in to this site.
MM_LoginAction = Request.ServerVariables("URL")
If Request.QueryString <> "" Then MM_LoginAction = MM_LoginAction + "?" + Server.HTMLEncode(Request.QueryString)
MM_valUsername = CStr(Request.Form("Username"))
If MM_valUsername <> "" Then
Dim MM_fldUserAuthorization
Dim MM_redirectLoginSuccess
Dim MM_redirectLoginFailed
Dim MM_loginSQL
Dim MM_rsUser
Dim MM_rsUser_cmd

MM_fldUserAuthorization = "Companyid"
MM_redirectLoginSuccess = "home.asp"
MM_redirectLoginFailed = "loginbad.asp"

MM_loginSQL = "SELECT usrname, pword,entryid"
If MM_fldUserAuthorization <> "" Then MM_loginSQL = MM_loginSQL & "," & MM_fldUserAuthorization
MM_loginSQL = MM_loginSQL & " FROM dbo.tblIELogin WHERE usrname = ? AND pword = ?"
Set MM_rsUser_cmd = Server.CreateObject ("ADODB.Command")
MM_rsUser_cmd.ActiveConnection = MM_123_STRING
MM_rsUser_cmd.CommandText = MM_loginSQL
MM_rsUser_cmd.Parameters.Append MM_rsUser_cmd.CreateParameter("param1", 200, 1, 50, MM_valUsername) ' adVarChar
MM_rsUser_cmd.Parameters.Append MM_rsUser_cmd.CreateParameter("param2", 200, 1, 50, Request.Form("Password")) ' adVarChar
MM_rsUser_cmd.Prepared = true
Set MM_rsUser = MM_rsUser_cmd.Execute

If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then
' username and password match - this is a valid user
Session("MM_Username") = MM_valUsername
If (MM_fldUserAuthorization <> "") Then
Session("MM_UserAuthorization") = CStr(MM_rsUser.Fields.Item(MM_fldUserAuthorization).Value)
Else
Session("MM_UserAuthorization") = ""
End If
if CStr(Request.QueryString("accessdenied")) <> "" And true Then
MM_redirectLoginSuccess = Request.QueryString("accessdenied")
End If
MM_rsUser.Close
Response.Redirect(MM_redirectLoginSuccess)
End If
MM_rsUser.Close
Response.Redirect(MM_redirectLoginFailed)
End If

%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"&gt;
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Please Logon now</title>

<LINK href="../../sitestyle.css" type=text/css rel=STYLESHEET>
</head>
<body bgcolor="#FFFFFF" text="#000000" topmargin="0">




<table width="500" border="1" align="center" bordercolor="#E14A6D">
<tr>
<td width="500"><table width="500" border="1" height="324" bordercolor="#E14A6D" align="center">
<tr>
<td height="259" align="center" valign="top" background="../../ie/images/bg.gif" bgcolor="#FFFFFF"><table width="100%">
<tr>
<td bgcolor="#FFFFFF"><div align="center"><img src="../../siteimgs/homehdr.jpg" width="800" height="189" alt=""></div></td>
</tr>
</table>
<table width="100%">
<tr>
<td height="132" align="center" valign="top" bgcolor="#E14A6D">
<form name="login" method="POST" action="<%=MM_LoginAction%>">
<table width="100%" border="0" cellpadding="2" cellspacing="2" bgcolor="#E14A6D">
<tr bgcolor="#E14A6D">
<td colspan="2"><div align="center"><span class="subhead"><font face="Verdana, Arial, Helvetica, sans-serif">Please Login</font></span><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><b><font size="3"><br>
<br>
</font></b></font></div></td>
</tr>
<tr bgcolor="#E14A6D">
<td width="40%"><div align="right"><font face="Verdana, Arial, Helvetica, sans-serif" size="2">Username:</font></div></td>
<td><div align="left"><font face="Verdana, Arial, Helvetica, sans-serif" size="2">
<input name="Username" type="text" class="txtbox">
</font></div></td>
</tr>
<tr bgcolor="#E14A6D">
<td><div align="right"><font face="Verdana, Arial, Helvetica, sans-serif" size="2">Password: </font> </div></td>
<td><p align="left">
<input name="Password" type="password" class="txtbox">
</p>
</td>
</tr>
<tr bgcolor="#E14A6D">
<td> <div align="right"><br>
<br>
<input name="Reset" type="reset" class="subhead" value="Reset">
</div></td>
<td> <div align="left"><br>
<br>
<input name="Submit" type="submit" class="subhead" value="Submit">
</div></td>
</tr>
</table>
<font face="Verdana, Arial, Helvetica, sans-serif" size="3"></font>
<p></p>
</form></td>
</tr>
</table>
</td>
</tr>
</table></td>
</tr>
</table>

Ginger

Session("EntryID") = MM_rsUser.Fields("entryId")

That should do it, as you are returning it in the Recordset

The Mighty Dubs

Sorry but you'll have to excuse my ignorance here. But where exactly should this variable be put in? Should it be somewhere in the code displayed below or the home page where the login redirects where correct?
This sort of thing im not very good at.

Eoin

The Mighty Dubs wrote: »

Sorry but you'll have to excuse my ignorance here. But where exactly should this variable be put in? Should it be somewhere in the code displayed below or the home page where the login redirects where correct?
This sort of thing im not very good at.

Imagine you wanted to just print the userID from the database to the page - where would you put that line of code?

The Mighty Dubs

I need to store this variable in the background and put it into a hidden form field in an insert statement...

Eoin

Yep, I know what you mean - I just mean that you need to find out at what stage you can access the value from the database. That's when you set the session variable. Using Response.Write to print out variables to the page is usually a good first step for this kind of thing.

I wouldn't use a hidden form field by the way, as it's incredibly easy to overwrite this value using very basic injection techniques. There's no need to use it if you're using session variables.

The Mighty Dubs

ah ok, the value should be set at log in.

Eoin

Yep, you set the value as soon as you get it, and then you can access it throughout the site.

Don't do this though:

[html]<input type="hidden" name="txtUserID" value="<%=Session("UserID")%>"/>[/html]

I did this on a web app years ago, and it was really easy to change the value of this form field to anything I wanted.

The Mighty Dubs

Cheers for the heads up on the hidden field thing, im always using them. must use something else instead.

I have tried to put the following into the logon statement
MM_rsUser.Fields("entryId") = Session("IELoginID")
but am getting back an error, (Arguments are of the wrong type, are out of acceptable range, or are in conflict with one another. Line 26) see below to view where i have put it in.

**********

<%
' *** Validate request to log in to this site.
MM_LoginAction = Request.ServerVariables("URL")
If Request.QueryString <> "" Then MM_LoginAction = MM_LoginAction + "?" + Server.HTMLEncode(Request.QueryString)
MM_valUsername = CStr(Request.Form("Username"))
If MM_valUsername <> "" Then
Dim MM_fldUserAuthorization
Dim MM_redirectLoginSuccess
Dim MM_redirectLoginFailed
Dim MM_loginSQL
Dim MM_rsUser
Dim MM_rsUser_cmd

MM_fldUserAuthorization = "Companyid"
MM_redirectLoginSuccess = "home.asp"
MM_redirectLoginFailed = "loginbad.asp"

MM_loginSQL = "SELECT usrname, pword,entryid"
If MM_fldUserAuthorization <> "" Then MM_loginSQL = MM_loginSQL & "," & MM_fldUserAuthorization
MM_loginSQL = MM_loginSQL & " FROM dbo.tblIELogin WHERE usrname = ? AND pword = ?"
Set MM_rsUser_cmd = Server.CreateObject ("ADODB.Command")
MM_rsUser_cmd.ActiveConnection = MM_123_STRING
MM_rsUser_cmd.CommandText = MM_loginSQL
MM_rsUser_cmd.Parameters.Append MM_rsUser_cmd.CreateParameter("param1", 200, 1, 50, MM_valUsername) ' adVarChar
MM_rsUser_cmd.Parameters.Append MM_rsUser_cmd.CreateParameter("param2", 200, 1, 50, Request.Form("Password")) ' adVarChar
MM_rsUser_cmd.Prepared = true
MM_rsUser.Fields("entryId") = Session("IELoginID")
Set MM_rsUser = MM_rsUser_cmd.Execute

If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then
' username and password match - this is a valid user
Session("MM_Username") = MM_valUsername
If (MM_fldUserAuthorization <> "") Then
Session("MM_UserAuthorization") = CStr(MM_rsUser.Fields.Item(MM_fldUserAuthorization).Value)
Else
Session("MM_UserAuthorization") = ""
End If
if CStr(Request.QueryString("accessdenied")) <> "" And true Then
MM_redirectLoginSuccess = Request.QueryString("accessdenied")
End If
MM_rsUser.Close
Response.Redirect(MM_redirectLoginSuccess)
End If
MM_rsUser.Close
Response.Redirect(MM_redirectLoginFailed)
End If

%>

The Mighty Dubs

D'OH...let the connection string out but still not getting the variable to carry over.

Eoin

First, print out the userID from the database to the page. Then print out the session variable to the page and see if it's being set.