I am using ASPProtect's password program, which has been very successful, for managing over 1,500 military veterans' memberships at http://www.vspa.com.  What I am trying to do now is utilize the "Groups" code, as generated by the Admin page, to prevent members with expired accounts (and non-members) from accessing restricted "members only" .ASP pages they may have bookmarked, or found via web search. The code generated and used is as follows:

<%@ LANGUAGE="VBSCRIPT" %>
<!-- Begin ASPProtect Code -->
<!-- Groups with access to this page. ( * ADMIN * Member Current * Member Life * Officer/Staff * ) -->
<% GROUPACCESS = "10,12,14,19" %>
<!--#INCLUDE FILE="check_user_inc.asp"-->
<!-- End ASPProtect Code -->

The above is placed over the <html><head> statements on the page.

When I am logged in the code works perfectly! When I log off and try the URL again, the page appears in its entirety but with a Login box for Username and Login Password at the top of the page. You may view the problem at: http://www.vspa.com/aspprotect/vspa-password-enter.asp .

What I would like to have happen is expired members and non-members would be sent (or Redirected) to a Login page. I do not want the Login password box to merely be inserted above the page that I am trying to keep them from visiting.

Don Poss,
VSPA Webmaster

Thought this would be easy.  A few more pointers should get the database connection to work:

1) How do you decide whether it is a DSN (system datasource) or not? Does just putting the file in the ODBC make it so? 

2)We have other files in there for other server applications, does that mean we’re stuck using DSN’s or is the file independent of that control dialog?

3) Assuming we get rid of using DSN for this database (or not), does the code go referenced in your article http://www.powerasp.com/content/hintstips/permissions.asp apply here or should it just work?

What else are we missing?

It happens at least once per hour or every time a banner is edited in the system by the admin.

Changing its frequency would be somewhat complicated. You'll have to make changes to the code in a few places and you will effect performance adversely by doing it more often as it will mean a lot more database queries which defeats the purpose of doing it once per hour to conserve resources. The reason is when you change the frequency of that you also change the frequency of the entire banner application variable caching system. It difficult to explain but it unlike most banner systems out there it basically fetches banner rotation info every so often instead of every single time your page needs a banner. It stores this rotation and cycling information in ultra fast application variables. The docs actually go over a little bit of how that process actually functions under "using the system / Setting Up Banners
"

Its a customization I just can not support and I do not recommend doing, but if you really want to you should look at the "aspbanner_inc.asp" file

this is the part that makes it happen at least once per hour (requires visitors to your site to happen obviously)... you'd have to cleverly recode it to work slightly more often

' Checks the time the banner data was last updated and basically updates it if an hour or more has passed
If Cint(Application("BannersLastUpdated")) <> Cint(Hour(time)) Then
%>
<!--#INCLUDE FILE="appinfo_inc.asp"-->
<%
End If

There may be more to changing this than that, but this is all I can tell you.

In a way your questions are confusing to me, but here is some information regardless.



Using Active Sever pages you can not protect entire folders. It is simply not possible. ASPProtect is Active Server Pages scripts so it can only protect individual ".asp" files.


If you are concerned about customers downloading the access database..

best practive is to store it in different folder name than it came in
best practive is to give the database .mdb file itself a different name
best practive is to change the password on the access database
best practice is to store it in a directory that is not part of your web if possible.. many of the better hosting companies have it set up so you actually can do that

the more of these things you can do the better..

And if you are really worried about security you should use a SQL Server database which nobody can download from your website under any conditions because your data lives in the sql server and unless they get the username/password to it they can not access it.

I checked through the code and could not find anything as well. 

However, I do think it may be related somehow to the code as I get the messages popping up in the error log only after I have edited a banner.

If there is nothing obvious, I may just set my error log to filter and automatically delete this type of error.  Not something I prefer to do.

Thanks for the quick response.

Otherwise the program is working very well and I'm happy with it.

What other information do you have ?

Details are very important.

Info on situations where it works... like OS, browser version.. etc etc

Info on situations where it does not work... same stuff

size of the PDF files ?

server info ?

Maybe protect a page and offer a PDF file so myself and some of the forum users can try it and report back what happens.

Also, Many people zip up PDF files when letting people download them as browsers can act pretty odd at times with them. Perhaps that is an option.

Great suggestion, routing the banner click through an intermediate page before the destination.  We use Deepmetrix LiveSTATS.xsp V7 and I should be able to configure a filter to capture the stats of the intermediate page.

Thanks for the help!
Lance

- I am using the original files that came with the software.
- The software ads items to the database flawlessly.
- ASPImage works great.

- When I try to remove an ad or an image it says it's been removed.
- The ad does not show up on the site anymore.
- BUT, when looking at the sql database the ad is still listed there.

Why is the software not deleting the columns from the database and the images from folder?

Note: My other tables for other projects, in the database, allow me to delete them.

[QUOTE=cwilliams]actually, passwords can be up to 75 characters long in ASPProtect.
the only requirement when entered from a non admin user is that they are at least 4 characters long.

what does MSAccess have to do with this ? Are you trying to convert and old system or something? I noticed you created and "old password" field in there ? Is there something I do not know about as far as what you are trying to do?

Passwords in version 7 are encrypted so I hope you understand all of that and realize you can not enter or change passwords right from SQL server. Also if you import info you must handle that accordingly and convert the passwords to encrypted format. [/QUOTE]

First off, I haven't imported anything from MS Access.. The only reason I mentioned it is cuz I thought initially it worked with Access and not SQL server.

I am not converting nor entering any data manually into the db, nor have I changed anything in the way the registration is made (don't know where the "Old password" has come from? thought it was a function you made?)

Chris:

I just got done trying it myself and it worked great for me too. I was aware of the security issue, but I'd already planned on using SSL for this particular call, as well as for the secured pages accessed through the normal process, so the bad guys will be kept at bay.

Thanks for the help.

Chris: You are right about a little extra coding to make it work. I am still learning .ASP coding, so I did a little web searching and used IF THEN statments to confirm a member logged in with a valid Access Code. If valid, the protected page executes, with the Member's Name and Access Level on a single line at the top of that page. Looks sharp! If not logged in, or a non member (who found the page via Google), I used a Redirect to send s/he to a login page with optional links as you suggested (http://www.vspa.com/aspprotect/vspa-password-failed.asp) . I couldn't get it to work when using Group Access, but I am sure that is just because I am a novice at .ASP (I will post that example when I figure it out). Meanwhile, here's the code I used that works:

<%@ LANGUAGE="VBSCRIPT" %>
<!--#INCLUDE FILE="dataconn_inc.asp"-->
<!--#INCLUDE FILE="check_user_inc.asp"-->
<!--#INCLUDE FILE="config_inc.asp"-->
<% =Session("First_Name") %>&nbsp;<% =Session("Last_Name") %>:
<%
If Session("Access_Level") = "6"  Then
    Response.Write "VSPA Active Member Access Level 6"
 End If
If Session("Access_Level") = "7" Then
    Response.Write "VSPA Life Member Access Level 7"
 End If
If Session("Access_Level") = "8" Then
    Response.Write "VSPA Officer/Staff Access Level 8"
 End If
If Session("Access_Level") < "6" Then
    Response.Write "Access Level 1-6 NOT AUTHORIZED RESTRICTED AREA ACCESS"
    Response.Redirect("vspa-password-failed.asp")
End If
%><!-- http://www.vspa.com/aspprotect/vspa-password-enter.asp -->
<!-- *** End ASPProtect Code *** -->
<html>
<head>

I am having problems accessing the admin site at the following URL:

http://www.drsweisberg.com/password_admin/default.asp

It brings up the login page, but when I enter the admin/test, it times out.  The DB is the copy with no password and it resides in a directory on the same server hosting the site but it is not in a folder viewable by web users.  This is how the dataconn_inc.asp is set:

<%
'*** Below are the only two settings you need to edit in this file
 
ConnectionString = "DSN=drweisberg;Driver={Microsoft Access Driver (*.mdb)}"
DatabaseType = "MSACCESS"
%>

The ODBC is setup and the IUSR has read/write/modify permissions.

Any help would be greatly appreciated.

It appears there was a flag problem. When reading it into SQL Server, it converted the True/False in Access to 1/0 in SQL Server.

Something very strange is happening.  Some users can't see the classified ads in their browser.  This is specific to the user's computer, and they can check other computers and see it fine.

In each case, the user is using windows explorer 6.0 browser with windows xp.

they can't see the ads listed on the ads page, but they can see the categories.

also, they can't see the place ad link on some pages.

Do you think that their browser is blocking the javascript for the mouseover message?

thanks.

Really, only you or your hosting company would know that information...

It is usally installed in the "_database" folder but the physical path including the drive letter  to that can only be known by asking your hosting company or by using server mappath to learn the path on you own.
http://www.powerasp.com/content/hintstips/physical-path.asp

That folder also needs special permissions. The permissions it needs are covered in the documentation for the software and generally only your hosting compnay can set those permissions.

The online support forums here are full of information and resources on correctly setting up data connections. It is ASP 101 and something you really need to have an understanding of.

I am happy to answer questions and try to help, but if you dont want to deal with it or can't we do offer installation services.

http://www.cjwsoft.com/installation_service.asp

I am also getting the "Unspecified Error" message.  I just transferred my site to IIS 5.0 and I get that error now.  However it does not happen everytime.  I can click on a page and it opens fine and then I hit refresh in the browser and I get the "Unspecified Error" message.  What could be causing this?

Hi

I downloaded the .chm format installation documentation but when I open it I get the index but can't see any of the pages so am a bit stuck.

Hi

I have purchased the Standard version about a week ago. Its a great script.

I have been able to select  uploaded banners from day one... but just now i dont seem to be able to select...

i know its hard for you to trouble shoot with such little information.. but i had to ask..

Should i maybe upload the site again ( but same the database first)?

regards

Domenic

Sydney, Australia

The code is ok..

Your getting an error because no banners are showing up in that zones rotation.

run this directly in the browser and you will see that there are no banners being generated for that zone ID
http://www.poconocommuter.com/aspbanner/aspbanner_inc.asp?Ba nnerZone=6

As a matter of fact I dont see any banners showing up for any zones previous to 6 which tells me either you dont have valid banners in there or the application variable info got corrupted do to a server crash / power off or something.

http://support.cjwsoft.com/code/moreinfo95-1.htm

User Information

After a user logs in there are variables that you can always access.
They can be used to check various things or to display information
dynamically based on who has logged into the system.

   Session("PasswordAccess")
   Session("Access_Level")
   Session("Admin")
   Session("Active")
   Session("Expiration_Date")
   Session("User_ID")
   Session("Groups")
   Session("Redirection_URL")
   Session("Password")
   Session("Username")
   Session("First_Name")
   Session("Last_Name")
   Session("Company_Name")
   Session("Email")
   Session("Address")
   Session("City")
   Session("State_Province")
   Session("Zipcode_Postal_Code")
   Session("Phone")
   Session("Custom1")
   Session("Custom2")
   Session("Custom3")
   Session("Custom4")
   Session("Custom5")
   Session("Custom6")

You can display them on a page at any time using Response.Write like so

<% Response.Write(Session("FIRST_NAME")) %>

or like this

<% = Session("LAST_NAME") %>

Hi. Chris.  I'm not a programmer of any sorts, so I am not comfortable plugging in the changes you suggested and not knowing for sure if it will "break something somewhere else".  If the programmer tells me "you have been warned", its a pretty good sign its a no win situation. If you don't know, theres no way i can know.

I saw in the code where you mentioned the changes. I don't see where it mentions the last name is required either, but the bottom line is it does require it it the actual new user form.

Thanks anyway Chris. I'll figure something out.

-john

ok, I just sent you a private message with download information.

replace you existing

"check_user_inc.asp"

"admin/check_admin_inc.asp"

"admin/email_user.asp"

with the new versions in the download

Do some testing to make sure that HANNAH password works ok for you.

Hopefully this cures the issue...
If it works ok for you for a while I will offer the fixes to everyone and start using this code from now on

BTW:
"admin/email_user.asp" had an unrelated bug in it that only happened if its error handling got triggered... it was posting back to the wrong page when that happened and causing an error

Why all the pages at the directory .../password_admin/ are very slow to open online?

ALL FIXED.. tested with real paypal accounts and a live system
works perfectly

THIS FIX IS ONLY FOR PAYPAL SUBSCRIPTIONS

Download this file "ipn.asp" and put it in the "paypal_sub_signup" folder
2005-03-10_164645_aspprotect_subscription_fix.zip

Basically somehow an older version of the this file was in the original download archive.

I am VERY SORRY

Anyone who purchased ASPProtect 7 before March 11, 2005 should download this fix.

There are 8 Access Levels by default.. they work like this.
http://support.cjwsoft.com/forum/forum_posts.asp?TID=166& ; ; ;PN=1

Access Levels exist in ASPProtect Version 7 for backward compatibilty for customers using previous versions.

Truth is Groups are the replacement for Access Levels and they are much more powerful and flexible. You can also make as many of them as you want in the admin area.
http://support.cjwsoft.com/forum/forum_posts.asp?TID=167& ; ; ;PN=1

On a side note:
We also coded ASPProtect Version 7 so there could technically be as many access levels as you wanted. It's not supported but if you really wanted more Access Levels you would carefully add more Access Levels to the drop down choices when you edit a user. "edit.asp"

I don't know why anyone would want to use Access Levels however when they can use Groups.

You need to make sure you created the SQL database using the SQL scripts we provide and that no errors occur whatsoever. That is extremely important. You must use our SQL creation scripts.

Then, when you create the user you need to go back to that user and make sure you check the admin account and save that user again. (many times when setting up a system for someone I find myself forgetting that step and then I have to go back in and check the admin box for the user I created.)

And of course create the user from the ASPProtect admin area web interface. Do not add the user to the database manually because you will have no way to enter the password correct as it is encrypted. And do not change the encryption key after making the user/.

It would also be wise to check the SQL server database at every step to make sure the user info gets created and that all the field info looks correct for the most part.

You also want to be sure to specify SQL as the database type side the connection string info as the SQL directions go over

a remote sql server should not an issue.

thats really all I can think of right now

ok, 1st we need to rule out the #1 reason people sometimes think that is not working.

Is is set up never to allow the same IP to increment the count more than once in a row so when testing it is real easy to think the count isn't working because unless you can change your ip you can not increment the count more than once per album

It's a poor mans spam abuse type of deal..
For the most part it will keep some Joker from hitting refresh 100 times and inflating the count of an album.

Do you think that is possible what is happening ?

Also, here is an older thread about the same issue?
http://support.cjwsoft.com/code/moreinfo54-2.htm

I have sent an registration email (as test) to both a yahoo account and also my own email server and in both cases I get the same issue, all else is working great. I am sure its somthing simple, perhaps I am over looking somthing else. the site url is www.rochestertek.us/asp/users/register.asp if this helps

Again thanks.

Got it working.    Had purchased a long time ago and forgot about needing to run the userreg.exe.  All is well and thanks for the follow up.

Lance

Could be a mod I guess - it would be nice to have an option on the admin settings page to lock down access of all pages and redirect to a specified  "lockdown" page upon attempted login.

If I'm updating the large files on the server and someone attempts a download, they'll get a partial ZIP file or an error.

A mod like this would improve tracking by leaps and bounds.

Do you think this addon would be availalbe anytime in the near future? If/when this feature or mod becomes availalbe, it certainly would be ideal if some script was made to import all the log file data.