FYI:

The articles you references were read over by me like 3 hours ago... way passed that and prob. in deeper sh*t than i was since im trying everything possible without knowing the true reason this is not working.

Both the NET and Classic ASP versions of this application are designed for fine granularity protection of individual apsx extension files. ASPProtect.NET is not designed or intended to protect sub directories, or non aspx content such as Adobe Acrobat .pdf files etc etc.

I completely disagree with your statement that “most sites” have a login box on the left hand side of the page. I suspect you thinking of the ever popular php based forums and “Nuke” type CMS systems which are set up that way but if you look at any site written entirely using .NET that’s rarely if ever the case. (Granted I cant say for sure because I personally haven’t looked at >50% of the estimated 18 billion +  web pages on the internet) Just off the top of my head www.CafePress.com come to mind as a pure .NET site. If you take a look the login button it takes you to its own login page there is not global login form used throughout the site. Reason being that .NET introduced this thing called a “view state” which is used to store things like your session ID (and way more) and must be posted back to the server in order to keep track of visitors. This technology comes in especially handy when you have a web farm in place and your content is being spit out out by more than one server at the same time

I can think of loads of scenarios where the web servers need to know who you are even though you are never directly contacting them via http. This approach is a very smooth and actually very clever solution for enterprise level websites that simply can’t be handled with a single web server.

 On a practical level I know what you are saying but that application sets up all sorts of things when a protected page is accessed and the user is not yet authenticated. That’s the entire reason you need to put that snippet of code at the top of a page you want to protect. That code snippet calls the ASPProtect.NET class and runs through all the logic to see if you are able to access the page. If you are the subroutine exits and the server continues to process the remaining logic on the page. AKA you are able to access its content. If you are NOT authenticated ASPProtect will setup all the proper session and viewstate info and redirect you to the login page for authentication. You may have also noticed a parameter on the login page called ReturnURL. The application looks for that info and if you do have a user ID and password the application automatically redirects you to the page you were trying to access in the first place.

Really I have no idea what you are trying to do, but there is a world of difference in how something looks verses how it works. Lets just say there was a simple way to do what your thinking, what are you going to do with that login form after the person logs in? Just keep displaying it on the entire site so people get confused and don’t know if they are logged in or not? Just that little part of the equation will require making some changes to either ASPProtect.NET or your application will have to have some logic built into it to stop displaying the login forum.

It sounds to me like your basically looking for a super simple 101 type deal that allows people to sign up for an event and you the admin can see that information? I’m guessing they can also log in again and check out their details and see what event they signed up for?

If that’s the case you’re trying to take a very sophisticated protection application and downgrade it into something that would be one heck of a lot easier to write all from scratch in about an hour.

Your not going to be able to “plug and play” a simple form into a page and turn that application as a magic universal login solution for a website, while its 100% possible to use the application that way if you choose, you need to check out the source code and plan your custom integration accordingly.

Ok time for some more questions!!!

Is there a way to make the person's email address their default username... or force it in somehow instead of allowing them to create their own?

Okay Chris, I wold like to get rid of the encryption then if it's not too much trouble.

I have no option of running the production server against an ms access db, since the db needs to be online and accessible from another system.

(Password Expiration Mod) for ASPProtect Version 7.x

This Advanced Mod requires decent knowledge of Databases and working with ASP. I originally wrote something like this for a customer on a custom project. I then took the time to re-write all the code from scratch so it could easily be plugged in to the current version of ASPProtect as an option. All in all this mod took me over 15 hours of time to develop and will save you a ton of time & money if you were planning on writing something like this on your own. Some parts of this were so difficult to get working that I would never have written this code if I was not paid to do so. (The encrypted array that rotates through the last 12 passwords was quite frustrating to get working)


 
The price on this is 19.95. I am not incorporating this into the base product because it makes things more complicated and isn't for everyone.

Purchase Page

Security is a big concern and making your users change their password every so often is a good idea. Keeping track of previous passwords they used and making them choose something they haven't used before takes the concept even further.

This Mod will add a password expiration date to the application. When the password expiration date is hit the user must confirm their old password as well as pick a new one before they can log in again.

There is a new password expiration directory where they must choose a new password that has not been used before. The new password must be confirmed during this process. (It remembers 12 old passwords the way it is coded) The old passwords are stored in the database in an encrypted array.


Directions:
Back up your existing ASPProtect installation.

Add two new fields to the "ASPP_Users" table in your database.

For an MSAccess Database

Password_Expiration_Date (Date_Time Field)
PreviousPasswords (Memo Field)

For a MSSQL Database

Password_Expiration_Date (smalldatetime)
PreviousPasswords (nvarchar 160 characters)

once that is done

Copy all the new ".asp" pages into your site.


Edit the "PasswordExpirationURL" variable in the "check_user_inc.asp" file

It needs to be the full URL to to the "change_password/default.asp" file


Now edit the "change_password/processchange.asp" file

There are 3 variables you can edit.

PageSentToAfter = "http://localhost/aspprotectmods/password_admin/default.asp"
PassMinLength = 4
PassMaxLength = 8

The "PageSentToAfter" is where you want them sent to after they change the password. It can be whatever you like.
If it is a protected page they should automatically get logged in with the new password they just changed to which is nice.

The other two values should be obvious.

That's it...

Just remember the password change thing is not used in the admin area...
You could easily add code for that on your own though by looking at the the password expiration code I added to the publics "check_user_inc.asp" file

Also:
You will see a new field to edit on the user edit screen for the Password Expiration of course. 

is that lindsey lohan and her fake boobs as ur avatar?

I am installing IIS and all of its glory on the other computer now... gotta love remote desktop (the pc is at work  )

Hello- I am trying to install the ASPPROTECT product and tried to read all the docs but still am getting the following error:

[Microsoft][ODBC Microsoft Access Driver]General error Unable to open registry key 'Temporary (volatile) Jet DSN for process 0x1980 Thread 0x1458 DBC 0x223c374 Jet'.

I understand about the physical path for the DSN-less connection and followed the example given. I got in touch with tech support for the host of my site and the give me the following as a physical path:

c:\sites\Single20\laptv1\database

Some observations:

1.- The database directory is outside the root dir but I think I am accounting for it with the path

2.- The permissions are ok

Any ideas?

Thanks

FP

yes, there is upgrade pricing
http://www.aspprotect.com/purchase_v7_upgrade_pricing.asp

and upgrade instructions here in the forums

if you install it in the same directory structure you wont have to make any changes to the pages in your site you have already protected.. because the code to protect a page will be the same

now, anytime you upgrade an application like this there is going to be a lot of work involved especially when there have been so many changes
http://support.cjwsoft.com/code/moreinfo173-1.htm
whether or not you upgrade is up to you

Like I said you can make version 6 work with CDOSYS and a remote email server. You just need to do some research on CDOSYS code and spend the time needed to make the code use it. I however am not going to spend time detailing all of that when I created a new version that does it.

UPDATE... on very very busy sites these methods have been reported to fail once in a while..  meaning .NET gets overloaded and instead of a banner its shows some error code.

its not the banner system .. its the .net engine and the calling method

Got any info for me on this ?

Chris

That was wrong of me but not what I meant. It seems as soon as I purchase something like this it doesn't work right and it can't be altered to work with what I have. The support ends up sucking or being none. Listen I’ve gone thru you're product and it's wonderful and does exactly what you say it does so that's a relief. Sorry about my ignorance with .NET but I’m from an ASP world and it's a lot different. You can see what I’m trying to protect here http://www.hotmixxent.com:8087/default.aspx. The final site after testing will be http://mxais.sfmx.org/default.aspx. Again thanks for the support on Christmas Sunday, that’s defiantly beyond the call and I appreciate it a lot.

Hi,

I don't fully understand what you are explaining ... the part about showing a user but not working???? but if you PM me the details I will glady go into your live webserver and see if I can get it working.

Thanks for your rapid responses, your support is excellent!

It may be best that I stick with html then. You mention that is stresses the Version 7 software, would the unlimited version perform any differently if I use multiple zones?

Also, if I do go with a single zone, would either program be able to make sure each banner is unique, or would there by duplicates for each page view?

Sorry to post so many questions in one day.

also.. every once in a while I get some nervous person concerned about security... and the pros and cons of having parent paths enabled.

etc etc etc

so let me add this bit of info..

I don’t know what your hosting company will say because it is an iffy topic and those that understand it have a hard time explaining it to someone who doesn't. Also usually the hosting company doesn't have a clue except they heard it was a security risk.

so, on control_pics.asp where you see

<% =TempDesc %>

you could try doing this instead

<% =Replace(TempDesc,"&nbsp","") %>

I am having problems with a password a user wants to use.  He wants HANNAH.  When he (or I) try to log in with his username and password, I get a syntax error  -

Syntax error in string in query expression '(Username = 'changedforsecurity') AND (Password = ' éG'.
pathOnComputer../1protect/check_user_inc.asp, line 114

I've obviously changed the username and the server path in the info above for security. 

I have not messed with the encryption.   

What is it that the system doesn't like in the word HANNAH as a password?  I would just change his password for him but this guy has enough trouble just turning the computer on!  Confusing him with a new password would take weeks to set him straight. 

Thanks,
Mick

Chris,

When I set up a test user name it does accept name and passwords and the passwords are encrypted, no problem there.

All I want to do is to restrict access to the protected pages to the members only. Only those users will be accepted and allowed to view.

I have entered all of thier names, address, phone number, email and company in the database, which is still named ASPProtect_access2002.mdb and in the fpdb directory of wwwroot. To get it there I uploaded via FTP.  I hope I expained the situation well enough.

I was actually able to do similar thing by allowing our dedicated search engine to access the site unchallanged.

<%
If Trim(Left(Request.ServerVariables("HTTP_USER_AGENT"),11)) = "MYPASSWORD" Then  
 SearchFlag = True
End If
 
If SearchFlag <> True Then
If Session("Access_Level") > CHECKFOR or Session("Access_Level") = "" Then 
%>
<!--#include virtual="/Auth/check_user_Code.asp" -->
<head>
<title>My Title</title>

</head>

<body>

My Protected stuff here

</body>

</html>

For this to work, the search engine must pass the PW to the web site. I just was not sure how to do the same thing with IPs. I will play with the code and see what happens. If it works, I will post it here to help others, if this is OK with forum rules.

Thanks,

Mo

[/QUOTE]

I just added couple of lines and it works fine

If (Request.ServerVariables("REMOTE_ADDR")) = "xxx.xx.xxx.xxx" Then 
 ' Session("PasswordAccess") = "Yes"
 SearchFlag = true
End If

Sorry, I forgot about that when I got hung up on the install problem.

 I'll tackle your explanation now to see if I can get it working. Since I already bought the software I'll keep my fingers crossed.

Thanks

ok, here is what is going on

you are password protecting an ".asp" page that requires querystring info to run correctly   (example - "somepage.asp?ID=3"")

that is something I never intended anyone to do.. while it does handle and repass the querystring info along during successful login it does not re-pass that info during a failed login as you have found out

this is all by design.. the only reason the system re-passes the querystring info at all is because I wanted to make it smart for the sake of the remember me/cookie feature.. so if someone was using that and bookmarked a page deep in your site with querstring info...then when they went back to that bookmark they would get authenticated and still see the page as intended with the querystring info in tact

it was a nice feature never intended to handle any situations other than what I just described...

now...
notice the url in the browser after failing a login.. then logging in successfully.. it is missing the querystring info

that more than anything is what is going on..  browser caching can cause some confusion when dealing with this because the browser likes to return you to the page minus the querstring info... when that happens a simple browser refresh at that time may very well solve the problem and then you see the page you are supposed to see...

To avoid all of this...

One solution to this is to always start people logging in to an ".asp" page that has no querystring info. That way this won't happen. Once they are logged in you can then offer them links to the pages they need to go to. (you of course still want to password protect those pages)

Another solution is to log them into a page with no querystring info and then do a response.redirect to the page with quersytring info.. thus accomplishing the same thing but without the possibility of the issue because of a failed login.

Another solutions is to do checks in your asp page for missing querstring info.. and if it isn't there do something about it like send them somewhere else.. or display a message about there being an error... etc etc

So,basically you don't want to tell people to login into such and such page with querstring info... and providing a username and password..... You can do it but like you found out it can cause an error if they mess up logging in the 1st time. The system just was not designed to handle that. There are complex reasons for that involving security that would just take me too long to explain.

I hope this makes some sense to you.. it is very hard to try and explain

I get this error, Any ideas?

Microsoft OLE DB Provider for ODBC Drivers error '80004005'

[Microsoft][ODBC Microsoft Access Driver] '(unknown)' is not a valid path. Make sure that the path name is spelled correctly and that you are connected to the server on which the file resides.

/guestbook/save.asp, line 109

Glad it is working.. for anyone reading this the customer bascially did this
http://support.cjwsoft.com/forum/forum_posts.asp?TID=36& PN=1

That being said asp photo gallery actually has a few more places that send email that you going to need to modify as well. Off hand the reply to album, admin massemail, admin send email,and postcard features come to mind possibly as 3 of them.

using a multiple file search and replace utility like ReplaceEm would be the easy way to do all of this in one step and find all the instances

http://www.orbit.org/replace/

Okay, hopefully I'm posting in the correct area this time.

Currently we are utilizing ASPProtect 7.x

When using the Newsletter function, many members are indicating they are not receiving email.  No evidence of email in SPAM folders.  Also, when checking with email provider, they insist it is not being filtered prior to delivery to member's email address.

The following message does appear when a newsletter is sent.

error '8004020f'

/newsite/ASPprotect/scripts/emailing_subs_inc.asp, line 124

Line 124 is the line of code to 'send' the emails.  We have approx. 860 members who are on the list to receive the newsletter emails.  I have no way of knowing how many are not getting the email. Based on anecdotal evidence, I'm guessing it could be as high as 20%.

We are using CDOSYS / SMTP authentication with a real external email with MX records. Our website is hosted by Cbeyond.  They insist it isn't at their end. (for what it's worth)

Thanks for your assistance.

NPA

I'll try to help when I get back tues night,, see the contact page for info on where I am
http://www.cjwsoft.com/contact/default.asp?Subject=CJWSoft+G eneral+Inquiry

See, and that's what I thought.  What's interesting is that if I call either an aspx page or an asp page in the iframe tag, it asks me if I want to open the page, it doesn't display it.  I'm using IE6 so there's not problem with the support for the tag.

I'll keep looking to find out what's going on. I think the iframe method might work best.

JDooley

I'm using Aspimage and SQL. Photos are 2464 x 1632 px, tried the upload and import directory methods, same results: thumbnails ok, full images 0 bytes.

ServerSoftware Microsoft-IIS/6.0
ServerName www.larrysampas.com
ServerProtocol HTTP/1.1
PathInfo /gallery2/extras
PathTranslated d:\Customers\user1095000\www\gallery2\extras
 
FILE SYSTEM OBJECT Installed
ADODB (ActiveX Data Object) Version: 1.2 Installed  
CDONTS Version: 2.80 Installed  
SMTPMail Version: SMTPMail Retail Version V2, 2, 1, 0 Installed  
JMail Version: 4.1.2 Installed  
AspEmail Installed
AspMail Installed
SAFILEUP Installed
Dundas Upload Not Installed  
ASPImage Version: 2.31 Installed  
AspJpeg Not Installed  
ImgWriter Not Installed  
 
Script Engine 
Type VBScript
Version 5.6
Build 8515

actually  I just went to it again and it was somewhat slow coming up this time..

perhaps you have some issues with the sql database.

it should be instant.. like this one I run on my server
http://banserver.powerasp.com/aspbanner/

I suppose it could also have something to do with sql server resources but its hard to say..

I used Dreamweaver4 to make my site is there anything I can do to make it work?

Our login works great, variables even help determine menu options.  When user logs on, however, it opens in a new page.  Is there a setting somewhere that sets whether you can open in a new or existing page?

Also, when you log off

ASPProtect protects ".asp" pages only.

That is your problem.

Suprising I started this tread off on ASPImage, but I resolved my issue and forgot to change the thread topic.  I will try your suggestion.

Hi,

We use ASP Protect 6.0 and the database is SQL Server. Our hosting company is charging a lot for daily and weekly backups for everything. Which directories/folders do we need to backup daily and weekly incase something happenes to the site and we need to restore and get the password-protected are that works with ASP Protect to get working.

I just added this line to the paypal1.asp page

<input type="hidden" name="currency_code" value="CAD">

and it worked.  Clearly other values can be entered for other currencies.  Everything was listed in this manual https://www.paypal.com/en_US/pdf/subscriptions.pdf.

Cheers
Roy

Please Note : Users with the option pack a new feature called groups that is much more powerful than access levels.


More On Access Levels

Again, Examples of managing Access Levels are provided in the "multiple_access_levels" folder included in the root of the Password System. Look at the source code of the ASP pages in that folder with a text editor to see the working code.

Access Levels and how they work can be re-coded to work in many different ways. However, you have to be a good ASP developer to make changes to it. Here is some information on how they work by default and also info on an alternate scenario we have provided.

In the "check_user_inc.asp" that comes in the root of this system Access Levels works as follows.

Level 1 has Access to - Level 1
Level 2 has Access to - Level 1,2
Level 3 has Access to - Level 1,2,3
Level 4 has Access to - Level 1,2,3,4
Level 5 has Access to - Level 1,2,3,4,5
Level 6 has Access to - Level 1,2,3,4,5,6
Level 7 has Access to - Level 1,2,3,4,5,6,7
Level 8 has Access to - Level 1,2,3,4,5,6,7,8
ADMIN has Access to - Level 1,2,3,4,5,6,7,8,ADMIN

The "check_user_inc.asp" included in the "extras" directory is an example of changing the access level checking code
to work differently. In that "check_user_inc.asp" Access Levels works as follows.

Level 1 has Access to - Level 1
Level 2 has Access to - Level 2
Level 3 has Access to - Level 3
Level 4 has Access to - Level 4
Level 5 has Access to - Level 5
Level 6 has Access to - Level 6
Level 7 has Access to - Level 7
Level 8 has Access to - Level 8
ADMIN has Access to - Level 1,2,3,4,5,6,7,8,ADMIN

If you get creative you can create some interesting access level checking scenarios.

Here is some additional info..

If the access levels are too restrictive you can ignore them all together and create your own totally custom solutions.
Here is a quick rundown of some of the things you can do.

Ok... so if you want to be really specific about what each user can see and
can't .. here's an example of what you can do

Don't use the access levels before the include file..
Don't worry about what you set a user to in the admin area since the access levels won't be used.

Do something like this..

Every time a user logs in session variables are set that you can access at
any time.. thus allowing you to know who they are.

So you could do something like this...


<%@ LANGUAGE="VBSCRIPT" %>

<!--#INCLUDE FILE="check_user_inc.asp"-->

<%
If Session("USERNAME") = "bob1267" or Session("USERNAME") = "carl45" or Session("ADMIN") = "True" Then
Session("PASSWORDACCESS") = "Yes"
Else
Session("PASSWORDACCESS") = "No"
Response.Redirect(Request.ServerVariables("script_name"))
End If
%>

The following URL explains what Redirects are.
http://www.powerasp.com/content/code-snippets/redirects.asp

That would in effect create totally custom access levels.. but you would
have to do it manually for each user.

You can also do things like this after a person logs in

Show custom html to any specific user based on either their username or
access level ... like so

say there was a menu and a certain link should only show up to username
"paully67"

you could do something like this


<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<BODY>


<br>
<a href="main.asp">Home Page</a>
<%
If Session("USERNAME") = "paully67" Then
%>
<br>
<a href="paullys_page.asp">Pauls Stats Page</a>
<%
End If
%>
<br>
<a href="links.asp">Links Page</a>

</BODY>
</HTML>

Or you can show custom HTML or links based on Access Levels or any other info.

You can do just about anything with if-then statements and
using the built in vbscript functions..

Hopefully this info will help to give you some ideas...

Bottom line is you have to do some work within your site to make the Access Level system really come alive.