Blog Entry: 3/25/2006 4:55:30 PM
Come on the threats are not necessary- i got the point the first time you said it.. i thought i made a friend thru this and felt comfortable to say something like that... i am not a big online chatter just do the web stuff as a hobby... i am a network / computer hardware guy (yet i work for a mortgage co. go figure...), If they changed the paths they moved the site.
That means permissions for the database folder must be set again.
If permissions are not set and you are not using the correct new path info then you will still get errors.
Those errors the server reports back and quite generic and do no mean exactly what they say. They just mean everything is not perfect.
And everything just has to be perfect..
cwilliams38306.5069328704,
It is refered to as the internet guest account but that isn't the actual username. The username is different for every machine. It usually starts off with "IUSR_" and then your machine name. "Internet Guest Account" is always the account's full name as labeled by IIS when it is installed.
Regardless,
If an account isn't listed you have to add it.
Click (add-advanced-find now) and it will list off all the user accounts on the machine
You can also click (add-advanced) and simply type in the account name or part of it.
Some more tips:
If on a local machine you always just give the "everyone" account full control which is pretty much going to make anything work.
You can also go to computer management in your server's administrative tools and view all of the accounts and groups there under "Local Users and Groups".
cwilliams38417.7186689815, can add photo album but after i upload a pic, nothing shows.
where do i look to research why pics aren't showing in the albums
, Thought this would be easy. A few more pointers should get the database connection to work:
1) How do you decide whether it is a DSN (system datasource) or not? Does just putting the file in the ODBC make it so?
2)We have other files in there for other server applications, does that mean we’re stuck using DSN’s or is the file independent of that control dialog?
3) Assuming we get rid of using DSN for this database (or not), does the code go referenced in your article http://www.powerasp.com/content/hintstips/permissions.asp apply here or should it just work?
What else are we missing?
, Does ASPprotect support Paypal's Website Payments Pro option, where a user can use a credit card directly on a web site, without passing to paypal.com?
Nick
, ok, that probably means the physical path you have set for the logfile directory (in the admin settings area) is not correc t
the error pretty much means just what it says
, I did everything mentioned here but it do not work ;(
, I used Dreamweaver4 to make my site is there anything I can do to make it work?
, Chris,
Yesterday when I would access the get_me_in page with the password key, I was then taken to the default login page. It did not give me the option to create a user.
Today, when I entered the password key into the get_me_in page, I was taken right to the create user page. So, yes the problem has been resolved. I have no idea why though.
, Yup, it probably means the virtual directory is not configured as an Application in IIS.
You did put this in a plain folder in your web, correcct ?
Not a subweb
Regarding the application settings for the virtual directory.. if it is your server you set that stuff up in the IIS console.
If hosted somewhere it is there responsibility to have that set up correctly for you and you need to contact them and ask them what the deal is.
cwilliams38455.9035300926, gotcha...thanks.
, I am not sure. I can tell you that I run windows 2003 server and I have never had any issues setting permissions for ASP.NET files and folders. This very server is 2003 and the ASPProtect.NET demo runs on this server as well.
Course, I can't say that I have specifically tried to remove ASP.NET READ permissions on the database folder as it's just not something I would not have a reason to do. Why are you trying to do that? The ASP.NET account needs that permission. If you are trying to stop file browsing and downloading in that folder that is not how you do that. The best way to do that is by keeping the database somewhere else on the server that is not part of the http web. , (FREE) Nov 23 2005 Update Files
If you purchased ASPProtect Version 7.x before Nov 23 2005 then you can download these Update Files.
(These are non-critical updates.. only update if you want the described changes below)
These updates do the following..
- Make the Tabs in the Admin area move up and down as you navigate around so they look more like tabs used in a file cabinet.
- Updates the import/export process so the tab delimited text files created now store the passwords in plain text instead of encrypted. I have been thinking about this one for a while now and I think it is better this way as it was confusing a lot of people. If can also kill the whole process if by chance the encrypted output of a password contains a line break of sorts. There is no way to deal with that scenario so this is way the import/export process is going to work from now on. This also means you should be VERY carfeful about leaving export files lying around as they will have the passwords in them.
- Updates the "expected_paths.asp" in the data folder because the paths it was generating had an extra "data/" in it.
- Updates the users page so it will not show the import/export link if you have not entered a path for the export files in the settings.
- Adds an Activity Tab if using the Activity Tracking features instead of the links it used to put on the users page that most people didn't see.
To install these just copy them in over the old files.
Now of course back up your existing files so can revert back if there is a problem or you do not like the changes. If you made any custom changes to any of your pages use your head and realize that copying these in over your existing files will overide any custom changes you made. (that is your business, I am just warning you)
2005-11-23_163025_ASPProtect_v7_11-23-2005_update.zip
, Our login works great, variables even help determine menu options. When user logs on, however, it opens in a new page. Is there a setting somewhere that sets whether you can open in a new or existing page?
Also, when you log off
, I will actually explain how to set access_levels and/or groups...
in "users/add_new_account.asp"
carefully edit with a text editor
find this part
CmdAddUser.Fields("Access_Level") = "4"
that is where the acess level gets set...
you can change the level or remove that line all together if you dont want one set
now for groups you would add this line in the same area
CmdAddUser.Fields("Groups") = "*3*"
or
CmdAddUser.Fields("Groups") = "*1*,*2*,*3*"
Groups access for a user is stored in one field in the database like you see above. If you are confused what you should be saving in that field I suggest simply setting a user to whatever groups you want via the admin area and then looking in the database to see what got saved in that field. It's pretty simple really how they are stored.
*1*,*5*,*9*
that user would be a member of groups 1,5, and 9
, All can say right now is take a break and get away from it for a bit. All your going to do is stress yourself out more if you keep working on it.
There is probably a way to make it work but it may require days of fiddling around and reading articles and trying things and even then you may not get it working AND THEN ITS JUST A BAD IDEA ANYWAY. Like John says you are better off running it on a server that is not a domain controller.
,
Both
the NET and Classic ASP versions of this application are designed for
fine granularity protection of individual apsx extension files.
ASPProtect.NET is not designed or intended to protect sub directories,
or non aspx content such as Adobe Acrobat .pdf files etc etc.
I
completely disagree with your statement that “most sites” have a login
box on the left hand side of the page. I suspect you thinking of the
ever popular php based forums and “Nuke” type CMS systems which are set
up that way but if you look at any site written entirely using .NET
that’s rarely if ever the case. (Granted I cant say for sure because I
personally haven’t looked at >50% of the estimated 18 billion + web
pages on the internet) Just off the top of my head www.CafePress.com
come to mind as a pure .NET site. If you take a look the login button
it takes you to its own login page there is not global login form used
throughout the site. Reason being that .NET introduced this thing
called a “view state” which is used to store things like your session
ID (and way more) and must be posted back to the server in order to
keep track of visitors. This technology comes in especially handy when
you have a web farm in place and your content is being spit out out by
more than one server at the same time
I
can think of loads of scenarios where the web servers need to know who
you are even though you are never directly contacting them via http.
This approach is a very smooth and actually very clever solution for
enterprise level websites that simply can’t be handled with a single
web server.
On
a practical level I know what you are saying but that application sets
up all sorts of things when a protected page is accessed and the user
is not yet authenticated. That’s the entire reason you need to put that
snippet of code at the top of a page you want to protect. That code
snippet calls the ASPProtect.NET class and runs through all the logic
to see if you are able to access the page. If you are the subroutine
exits and the server continues to process the remaining logic on the
page. AKA you are able to access its content. If you are NOT
authenticated ASPProtect will setup all the proper session and
viewstate info and redirect you to the login page for authentication.
You may have also noticed a parameter on the login page called
ReturnURL. The application looks for that info and if you do have a
user ID and password the application automatically redirects you to the
page you were trying to access in the first place.
Really
I have no idea what you are trying to do, but there is a world of
difference in how something looks verses how it works. Lets just say
there was a simple way to do what your thinking, what are you going to
do with that login form after the person logs in? Just keep displaying
it on the entire site so people get confused and don’t know if they are
logged in or not? Just that little part of the equation will require
making some changes to either ASPProtect.NET or your application will
have to have some logic built into it to stop displaying the login
forum.
It
sounds to me like your basically looking for a super simple 101 type
deal that allows people to sign up for an event and you the admin can
see that information? I’m guessing they can also log in again and check
out their details and see what event they signed up for?
If
that’s the case you’re trying to take a very sophisticated protection
application and downgrade it into something that would be one heck of a
lot easier to write all from scratch in about an hour.
Your
not going to be able to “plug and play” a simple form into a page and
turn that application as a magic universal login solution for a
website, while its 100% possible to use the application that way if you
choose, you need to check out the source code and plan your custom
integration accordingly.
, Tell tell me some info about your install?
How am I supposed to know what is going on when you are not showing me what you have in your web config file and also the directory structure of the install or what you are putting in a page you are trying to protect ? It almost sounds like you are not editing the paths correctly in the various places. I mean yes you told me something about the "map" folder but what I saying is tell me more detail.
BTW: this is a very important setting in the web.config file and must be edited accordingly so the path is right.
<forms name=".aspprotect~net" loginUrl="/aspprotectlogin.aspx" protection="All" timeout="60" path="/" />
Basically your showing me random errors and posts left and right and I honestly have no idea what your doing ?
Ulitmately though I am trying to help you in this situation like the web site says.
We offer tech support for installation of the base application purchased in it's native form. In some cases in order to receive proper tech support your application will be need to be installed on a live server on the Internet. We simply cannot troubleshoot all issues when the application is only installed on your local machine.
Meaning I am not going to keep this up if you keep asking question after question after question regardign your local XP Pro installation. There is only so much I can assume or guess when you are running this on a local development server. I know you got all sorts of problems getting a decent live server to run this on but that just isn't my problem. Get this up and running on a professionaly and correctly setup live server and when these random configuration errors pop up atl least I can go run the pages and look at them. Right now I am just confused by nearly everything you have posted today. Half of looks like basic ASP.NET path issues that you need to sort of on your own based on where you installed the application on the machine and what you have in the web.config file.. etc etc etc
It is sounding more and more like ASP.NET is way over your head. If you want a copy of the classic ASP version of ASPProtect you are welcome to it. I think you will be a lotter better off sticking to classic ASP unless you really start reading up on ASP.NET and learning more about how forms based authentication and the web.config file work.
, thanks!! the file took care of the extra slash. I also fixed the problem by modifying the permissions.
dazed
,
Thanks for the quick reply.
I will consider editing the code.
, also, just to show you what happens when a user creates a subscription this is the code. you can see in red where the subscrition is is set and also where the exp date is set to null
If txn_type = "subscr_signup" Then
Set ConnPasswords = Server.CreateObject("ADODB.Connection")
Set CmdEditUser = Server.CreateObject("ADODB.Recordset")
ConnPasswords.Open ConnectionString
SQL = "SELECT " & tbl_label_users & ".* FROM " & tbl_label_users & " WHERE (User_ID = " & User_ID & ")"
CmdEditUser.Open SQL, ConnPasswords, 1, 3
CmdEditUser.Fields("Active") = "1"
CmdEditUser.Fields("Validated") = "1"
CmdEditUser.Fields("PayPal_Subscriber_ID") = subscr_id
CmdEditUser.Fields("Notes") = "Successful PayPal Subscription Signup on " & Date
CmdEditUser.Fields("Expiration_Date") = Null
If Access_Level <> "" Then
CmdEditUser.Fields("Access_Level") = Access_Level
End If
If Groups <> "" Then
CmdEditUser.Fields("Groups") = Trim(Groups)
End If
CmdEditUser.Update
CmdEditUser.Close
Set CmdEditUser = Nothing
ConnPasswords.Close
Set ConnPasswords = Nothing
End If , When I add a user, I can not activat it.
What do you have the registration type set to in the settings ?
They wont be activated automatically unless you have "automatically" selected ?
It sends me back to log on and will now allow me to log in as admin???
I am not quite sure I understand ? Seems to me like that would be normal because you can always log in as the admin at any time. If you cant log in as the user you just signed up as that could be for a couple reasons relating to the registration type you have slected in the settings. There are 3 types all epxlained in the settings screen. Some require manual activation byt the admin, some involve a registration email.. etc etc
I can restart the APP and log in as Admin, but the user I added
is still not activated??
How and why are you restarting the applicaton ? Please explain what your doing there.
My system will also not allow me to set the Stay Loged in FLag.
It just ignores it....
As I told you in an email earlier cookies must be enabled for authentication to work. You mentioned now you can not log off ? I am not sure I know what you mean by that. I assume you know to close all browser windows when testing things like this and I assume you know you have specifically log off and confim it in order to remove the remember me cookie and have to log in again when you return to the site.
, These are 4 valid examples of calling a flash movie.
The more simple examples may cause problems for people that don't have the flash plugin installed. I really do not know as I am no flash expert. All these work fine for me. Of course I have the latest flash plugin installed. Perhaps some of you can shed some light in this. The 3rd and 4rth examples are obviously only slightly different and mention different versions of flash as far as downloading the plugin goes.
<EMBED src=" http://www.aspbanner.com/test/aspbanner/images/banners/power asp.swf" WIDTH="468" HEIGHT="60">
<object width="120" height="22">
<param name="movie" value=" http://www.aspbanner.com/test/aspbanner/images/banners/power asp.swf">
<embed src=" http://www.aspbanner.com/test/aspbanner/images/banners/power asp.swf" width="468" height="60">
</embed>
</object>
<OBJECT classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase=" http://download.macromedia.com/pub/shockwave/cabs/flash/swfl ash.cab#version=6,0,40,0"WIDTH="468 " HEIGHT="60" id="myMovieName">
<PARAM NAME=movie VALUE=" http://www.aspbanner.com/test/aspbanner/images/banners/power asp.swf">
<PARAM NAME=quality VALUE=high>
<PARAM NAME=bgcolor VALUE=#FFFFFF>
<EMBED src=" http://www.aspbanner.com/test/aspbanner/images/banners/power asp.swf" quality=high bgcolor=#FFFFFF WIDTH="468" HEIGHT="60" NAME="mybannername" ALIGN="" TYPE="application/x-shockwave-flash" PLUGINSPAGE="http://www.macromedia.com/go/getflashplayer">
</EMBED>
</OBJECT>
<OBJECT classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase=" http://active.macromedia.com/flash2/cabs/swflash.cab#version =4,0,0,0" ID=banner WIDTH="468" HEIGHT="60">
<PARAM NAME=movie VALUE=" http://www.aspbanner.com/test/aspbanner/images/banners/power asp.swf">
<PARAM NAME=quality VALUE=high>
<PARAM NAME=bgcolor VALUE=#FFFFFF>
<embed src=" http://www.aspbanner.com/test/aspbanner/images/banners/power asp.swf" quality="high" bgcolor="#3CBDCD" WIDTH="468" HEIGHT="60" TYPE="application/x-shockwave-flash" PLUGINSPAGE=" http://www.macromedia.com/shockwave/download/index.cgi?P1_Pr od_Version=ShockwaveFlash">
</OBJECT>
cwilliams38089.6129513889, also.. every once in a while I get some nervous person concerned about security... and the pros and cons of having parent paths enabled.
etc etc etc
so let me add this bit of info..
I don’t know what your hosting company will say because it is an iffy topic and those that understand it have a hard time explaining it to someone who doesn't. Also usually the hosting company doesn't have a clue except they heard it was a security risk.
Here is the low down from someone that really understands it...
(well, at least I think I do)
The only real security risks are from YOU and possibly other people hosting on the same server if they have parent paths enabled that is.
Meaning your site visitors can't possibly do anything with it unless of course you let them upload and run their own asp files to the server.
Anyway.. if YOU run malicious asp scripts you could potentially attack other sites on the server and look at things you shouldn't. As could other sites on the same server do to you I suppose.
So, unless you plan on doing that or some other site admin on the server does it to you its not really a concern. Just an advantage in coding abilities.
If you attack someone elses site on the server or lurk where you shouldnt then you are probably violating your hosting agreement.
99% of the time everyone gets all nervous over nothing.. half the people nervous about this have sites nobody would ever want to hack anyway.
Many people with a really important/busy sites are going to have a dedicated server somewhere so the setting is not relevant..
The hosting companies of course have to warn you.
This setting was enabled by default for years on IIS4-IIS5. I never once heard one single real story about anyone attacking anything because of this setting. That doesn't mean it doesn't happen but I am just telling you what I know.
This is all my opinion so take it for what it is...
If you are a Hosting Company your better off turning it on at the customers request, giving them a warning about it, and in turn having happy customers.
The big hosting companies like Alentus and MaximumASP do it...
There are far worse things than this to let people do after all.
Beleive it or not I have actually been in servers where they gave the anonymous webserver acount modify permissions EVERYWHERE yet they disabled parent paths ????
When adding a new user I am taken to a form.
There are several "required fields".
First and last names are 2 of them.
This is not needed by me and I need the company name as a required field instead. I work and deal with company names, not individuals.
So, i am unable to add any users due to this.
How can I either do away with the names as a required field or swap the individual names with the company name as a required field?
I have customers wanting to be able to view their own stats, but I need to do away with the required fields to work with my customer base.
Is there a way to protect other virtual sites on the server that are not under the default web site considering people may have different websites running off one server? I get the following error:
I apologize if I've missed this, but I would love to see the ability to auto-e-mail the advertiser at some randomly set interval before the banner expires. Ideally, I would also be cc'd on this e-mail so I can stay in touch. If the advertiser wants to renew, I can receive payment and change the expiration date without their banner ever falling out of service.
Since e-mail is already built into the program, would it be difficult to add a routine that checks for expiring banners at some daily interval, and contacts the advertiser?
To get really fancy, the e-mail could include the ability for me to add a button for paypal, allowing the advertiser to easily click and send off another payment.
I really do not know.. maybe it is a conflict with something else..
I run many instances of aspbanner on my servers and I have every item to log enabled for my iis log files... my stats server software which reads those log files (livestats and smarterstats) have never reported any 404 errors related to (aspbanner/those images)...
I do not know what is happening in your situation..
sorry.
, Just to put an end to this thread here is the solution for anyone reading.
The permissions were ok.
The data connection string never got edited in the "dataconn_inc.asp" file so it was invalid the whole time.
Once that was corrected the application ran.
So really this whole thread was over not following the directions and not editing the data connection string...
Yes, thats cool.. post it here for sure.
Also, the way you allowed for your search engine is clever and probably was the easiest way to go.
You could do the same thing with the IP. Much easieri than the way I was thinking of doing it.
