Blog Entry: 3/25/2006 4:55:19 PM
Using just ASP (Form Based Authentication) you can only protect the actual content of the ".asp" files.
You can however use some ASP tricks to stream other types of files to the users.
That way the actual file locations are never known and they can only get them/see these files when they are logged in as you would be streaming files to them after they logged in.
Below are informative links I have collected on the subject in an email I sent to another customer a while back.
Using Active Server Pages you can only protect ".asp" pages.
You can however password protect ".asp" pages that stream files to the user using code like in these examples therefore keeping the actual file name a secret.
And from another email I sent...
ASPProtect only protects the content of ".asp" pages. Directory protection is not possible using just ASP.
Other file extensions can not be protected using just ASP.
There are ways to get around this.
You'd want to do a technique like this to stream non ".asp" files to the users.
The safileup component from softartisans can actually do something similar as far as streaming the files go.
Then use something like ASPProtect to protect the ASP files that streams the files.
The actual location of the files is never known to the users and of they don't have access to the asp pages they can not see or get those other types of files.
Very doable, but nothing ASPProtect takes care of automatically.
This info above should get ya on track.
cwilliams38344.8751736111, You do not say something like that in a support forum for a legitimate software product. I don't think piracy is funny in the least bit. It is something I deal with every day with my own software. If you want to joke about it please do it someplace else. If you are downloading things via p2p do not talk about here. I don't want to know about it period.,
Has this been resolved ?, Ok, so I checked to see if ASP is running on the server and it is. then I added code to the top of a page and this is what i can see when 'view Source' on the web browser:
<%@ LANGUAGE="VBSCRIPT" %>
<!-- Begin ASPProtect Code -->
<!-- Groups with access to this page. ( * Admins * ) -->
<% GROUPACCESS = "4" %>
<! #INCLUDE FILE="check_user_inc.asp">
<!-- End ASPProtect Code -->
<html>
<head>
<title>TeamManagers</title>
Yet I get no challenage for a password and no error message!
, Some users have reported an error during the registration process.
Here is what I believe is happening.
When you register you get sent a validation email that has a link in it that looks something like this.
http://support.cjwsoft.com/forum//activate.asp?ID=testAD3AD2 97BC
That link can only be clicked on once which will activate your account.
If you somehow run that link more than once you will get a message telling you there was an error.
I think some people are double clicking on the link they get sent and running it more than once.... or clicking on it again after registration is complete. It probably happens very fast so they never see the success screen.
Either way, if you can login to the forum nothing is wrong and you are already activated. cwilliams38089.6248842593, Chris -
Long time no talk, which is a good thing. I have purchased another product from you, ASPVendor. I am running into an issues.
When I try and remove the image through the image manager, it does not remove it. Screen shot attached.
2005-10-19_194248_image_upload.zip
Thanks , I was able to get it all figured out. Thanks a lot for your help, I really appreciate it. I ended up copying the database with the password to the directory and used the user/password connection code and it works great. I believe it was related to that but I cannot be sure. Thanks again! , if you use our existing User_ID they are going to get new ID's. There is nothing you can do about that.
You could very easily though stick your exisisting User_ID's in one of the custum fields so you dont lose that info for each member., 1st. Please understand you have to purchase two licenses to do such a thing as each installation will need a valid license purchased.
Moving on:
ASPProtect using a industry standard concept called "Forms Based Authentication"
This primarily relies on session variables keeping track of login status.
Each installation must be in it's own unique "IIS Application" so it will have it's own set of application and session variables.
That is often not possible with shared hosting plans as the server admins may not be willing to set a folder in your web as a separate IIS application. You would need to ask. It is going to depend on the quality of your hosting plan whether they do it or not.
technically it takes about 1 minute to open up the "IIS Console" and set up a folder in your web as a separate "application"
Based on what you are telling me that you want to do I think it would make a lot more sense to have one installation and one user database and customize your sites so ASPProtect users that are part of certain "groups" have access to things others do not or see things on pages other users would not. That is after all the entire point of Dynamic web sites and also why ASPProtect has "groups".
Then as far as the registration differences go you would make a copy of the users area folder area and manual customize it to register users in an alternate fashion than the main "users" folder. And then send people there if that is how you want them to register.
I don't support customizations but that is the gist of it. It's really not difficult work, but you have to be good with ASP., I used Dreamweaver4 to make my site is there anything I can do to make it work? , I think I have successfully integrated Paypal but seem to have a slight
issue. Once a person has entered the Paypal site but cancels their
order, the ad is still placed on the site. The optimal way for my site
to work would be to cancel the ad once the Paypal process has been
cancelled. Any help would be great.
Thanks
, Your users with Internet Explorer may have received the "Page Expired" error. For ASPProtect users, it happens when the user is not logged on and tries to invoke the target page. check_user_inc.asp puts up the login form, and IE sees it as part of the target page. Any later attempt to Back up and reload from cache gives the errror.
My solution was, after successful login, instead of falling through the bottom of check_user_inc.asp and running the target page, I issue a re-direct to reload the target page. I also added META tags on the dynamic login form to say no-cache and expire now, so the re-direct really does reload the target page. This time, of course, check_user_inc.asp does not need to put up the login form, and the new target page in cache contains no form at all. So, IE will not give a Page Expired error when Backing up to it later.
Netscape, and I gather other browsers, do not behave the same way, so I limited the solution to IE. Also, the solution only works if the target page has no form of its own.
I'm uploading my customized version of check_user_inc.asp that contains this solution. (In it, I also used the Javascript focus method to place the "cursor" in the Username field when the login form loads.)
2004-11-22_050940_check_user_inc.zip cwilliams38313.494537037, look in the "check_user_inc.asp" file
Thank you that did it !! , you can whatever you like but like I said those gif files are already in the correct place. The log parser is messing up. , I set the max image width to 1000; previously it was null. Now I'm getting server errors:
page not found, then, service unavailable (the page is there). But in a new album, the images imported fine and it seems to be working now, despite the IIS issues.
I think my host restricted the amount of memory and resources my site is allowed to use. ,
it has been 3 days since I logged myself in under Admin, and all the user information on the User Activiy screen seemed to be gone.
is there any specific length of period it refreshes its user information??
, In addition to that I just noticed the </href> you have in there.. man that is some scary stuff you came up with.. that may appear to work and make a link but it is not correct. Each link will work but never truly be closed.
That is just not valid proper use of the anchor tag.
You make a link in html like so
<a href = "somepage.htm">somepage.htm</a>
http://www.w3schools.com/tags/tag_a.asp
Then your surrounding each link with <span lang="en-us"> </span>
Not sure why ? , Humm, Did you make any changes to the code ?
Solid Black is not the default so it must have changed at least once.
Otherwise it might be some sort of application variable problem.
I would make sure the web is and "application" in the IIS console.
, I was actually able to do similar thing by allowing our dedicated search engine to access the site unchallanged.
<%
If Trim(Left(Request.ServerVariables("HTTP_USER_AGENT"),11)) = "MYPASSWORD" Then
SearchFlag = True
End If
If SearchFlag <> True Then
If Session("Access_Level") > CHECKFOR or Session("Access_Level") = "" Then
%>
<!--#include virtual="/Auth/check_user_Code.asp" -->
<head>
<title>My Title</title>
</head>
<body>
My Protected stuff here
</body>
</html>
For this to work, the search engine must pass the PW to the web site. I just was not sure how to do the same thing with IPs. I will play with the code and see what happens. If it works, I will post it here to help others, if this is OK with forum rules.
Thanks,
Mo , This is the error that I am getting when I try to add a banner...
[code]Microsoft OLE DB Provider for SQL Server error '80040e09'
EXECUTE permission denied on object 'sp_ASPBanner_GetZones', database
'aspbanner', owner 'dbo'.
/aspbanner/appinfo_inc.asp, line 67[/code]
also, when i go to the banners tab i see this in the banner list...
[code](3 Banners Found)
Microsoft OLE DB Provider for SQL Server error '80040e14'
Line 1: Incorrect syntax near '='.
/aspbanner/banners.asp, line 306[/code]
Help., I'll try to help when I get back tues night,, see the contact page for info on where I am
http://www.cjwsoft.com/contact/default.asp?Subject=CJWSoft+G eneral+Inquiry , If you have messed up the admin account or forgotten the admin password you generally should open up the database manually and add a new account or see what the old account is.
In version 7 however you have another option. Go through the installation instructions again. Specifically the part where you use the "get_me_in.asp" page to get back into the admin area by pasting in the password encrpytion keye you are using from your config file. , Just want to be able to log users in from the home page via a username and password box somewhere say on the left hand side with a login button. Like most sites have.... i cant seem to figure out how to do that with the software.
My other question is..Is there a way to incorporate this software into an event registry? What i mean is this:
Say a company is having a pool party, BBQ, and tennis lessons (just examples)
When a user registers with aspprotect i want him/her to have the option to register for one of the events. Also, I as the admin, would like to be able to view who and how many registered for each event... Here is what i am talking about (and it has a payment option to charge for an event which would be PERFECT if you could do) http://www.cescripts.com/demo/registration/view-events.php
Please let me know if there is a way to add this option or create...
, Hi,
First and foremost, a great product. I downloaded it last night and it took little effort to get it up and running 
.....now a little question...
Has the software/code been tried out on a Mysql db and if so did it work?
The reason I ask is that my website is very busy (1.5million page views per month avg) and I'm considering converting the ASPBanner Access db to a Mysql one to help handle the traffic. For every page view one banner impression is being made which means that the Access db is under a bit of pressure
This afternoon there were 1012 simultanious users on the website and it froze with an error message displaying where the banner should have been (I didn't quite catch the message but something to do with the banner script timing out). I'm not sure if the Access db had something to do with it but it seemed too coincidental. Rebooting the server cured the problem but obviously kicked off the visistors as well
At present there's 668 online and no problems so I'll have to monitor it to see how it goes but if anyone can answer the Mysql question I'd be grateful
Thanks,
Dave , Ahhh, I see it, thanks that was the ticket.
, humm
expiration dates in the aspprotect system are not used at all when using paypal subscriptions.. all date handling is done on their end actually
and they of course send notices from their system to the user regarding their subscription and when it renews,cancels, etc etc
so I am pretty sure any errors with that would have more to do with the info you used for the subscription setup and possibly any paypal settings associated with it
its hard to say at this point
The smart thing to do I think.. would be to sign up someone using another PayPal account (your allowed 2)... and while doing it be very careful about the subscription setup data.. and then as soon as the subscription is created review all the info in the paypal system and see if the length of the subscription / expiration.. etc etc in the paypal system info looks right..
at least then you can begin to troubleshoot what is going on... , OK, so I misread the instructions. Wouldn't have been the first time
that happened... but I just had an account get created, guy then
paid, and... no activation. I had to go in the next day and do that by
hand. What should I do to look for troubleshooting on the issue? I've
got all the default directories set up and all the files where they
should be. What next?
, Hi
I would like to ensure the the user uses a UK style postcode not a clue how to ensure this as I am new to asp. Any ideas?
regards
John , Adding Support For ServerObjects ASPMail
ASPProtect as you know does not support ServerObjects ASPMail component by default.
Here are directions to make it work.
In the ASPProtect admin settings area simply pretend as if you are using the softartisans sasmtp mailer component. ASPMail and that sasmtp component share the same properties… and the code used for them is nearly identical.
So search through the code for any place where email is sent and simply change
Set Mailer = Server.CreateObject("SoftArtisans.SMTPMail")
To
Set Mailer = Server.CreateObject("SMTPsvg.Mailer")
It is about 4 places. They are not too hard to find.
That’s the easy way to get all the emailing functions working with ASPMail cwilliams38419.7864351852, Hi, I am wondering if I can redirect users with "GROUPACCESS"
just like access levelS. I tried to redirect using both "Groups"
and "GROUPACCESS" example below:
<%
If Session("GROUPACCESS") = "1" Then
Response.Redirect("group1.asp")
Else
Response.Redirect("allothers.asp")
End If
%>
I could only get the Access_Level to actually redirect. Is
this something the option pack supports? If so, any words of
advice?
, good news.. like I said it is probably becuase aol blocks emails sent from IP's with no MX record in the dns system , It is not something I did when I wrote the emailing sub routines. You would have to edit the email sub routine for CDONTS and add something to it most likely. The email sub routines are in the "scripts" folder in the "emailing_subs_inc.asp" file.
I am not sure you can do that when using CDONTS though I think you can do it with CDOSYS. You would have to do some research and edit the code like I mentioned.
, you dont want to use the virtual smtp virtual server method... you want to use a real remote email server with valid MX records..
ultimately though after all that is going is it is out of the hands of the asp code and it becomes issues other then the code sending the email... regarding to whether or not emails get blocked by certain organizations
For example:
I have many aol users sign up for various systems I have running without issue. I use CDOSYS with my own server mail.cjwsoft.com which has proper MX records set up.
I would also try to determine the difference between blocking and spam/junk email filtering. It is impoirtant to truly know what is going on.
Sometimes adding more information to the body of the emails going out will eliminate the junk mail filters from gettings the emails.
Then you have the various open relay lists that places like AOL use. If your email server or IP sending the email is on those lists for spamming you do not stand a chance. That is all out of the hands of the ASP code.
, My guess is they are not going to allow you to run your own oledb connector out of your own personal bin directory.
I don't think your going to be able to modify aspprotect to work under
that environment very easily, but I would give 1&1 a chance to
explain their reasoning and they might actually be able to provide a
simple fix who knows.
I have never seen a situation where a host goes messing around with
.NET that worked out good for anyone. I'm sure they have a reason, but
the entire world writes code to work on the platform as Microsoft
shipped it not as someone decided was a better way to set it up.
, Gotcha.
Can you set an expiration date on a subscription?
Thanks,
Jess ,
I am successfully using ASP protect on our site. I have one question:
The file Check_user_inc.asp looks a bit bland as I can't seem to use the sites Dreamweaver template. If I apply a template to this page, it is duplicated on other pages with this template.
How can I apply a template to this page?
Thanks
Clark
, I have ASPPhotoGallery installed. Everything has been working great for some time. Suddenly, for no apparent reason, I am not getting the "Hits" incremented when a user opens an album. It works when an administrator is logged on. Does not for any anonymous users. Everything else seems to work fine. Again, this used to work. Any ideas. , Its a great idea. I didnt really check the counter until the album started working. Its a great concept though., ASPProtect v7 comes with working example code of protecting an image from being downloaded and also protects the true file location of the image on your server..
This comes with the system as an example folder with some files in it.
(some of the initial purchaser's of the system might not have that directory.. if that is the case please ask)
Here is how it works...
Basically we protect the image in 2 ways.
- We use Javascript right click disabling code that works in both IE and Firefox.
- We stream the image via a special password protected ".asp" page and use an image tag to call it. This hides the true location of the file. You can therefore keep your images out of your web or keep them in a folder in your web that does not allow file browsing. Under this scenario even if someone looks at the img tag html source they can not tell where the file came from. Doing all of this allows you to offer certain images only to people that are logged in.
All in all this is should be very effective protection. Yes, there are still ways to get the images like doing screen captures, but this will ensure that people viewing images are logged in to your site. This will in most cases keep them from right clicking and saving the images. This will ensure that people can not tell other people the image's url location and it will ensure other sites can not leach your images and bandwidth.
For the image protection examples to work you may need to edit some values
in the stream_pic.asp file that are valid for your setup.
Look at the source. The values you can edit are commented.
Now, you also need to call a valid "image file name" from the call_pic.asp file which is an example of how you protect a page with javascript and call a streamed image using an image tag.
Lasty, here is a great article I found on image protection and some of the things you can do about it and some of things you cannot.
http://pubs.logicalexpressions.com/Pub0009/LPMArticle.asp?ID =41 ,
IMPORTANT UPDATE - READ THIS
http://support.cjwsoft.com/forum/forum_posts.asp?TID=205& ;PN=1
The IPN Subscription Pack which is built in to ASPProtect 7 contains all the pre-built scripts you need to implement PayPal IPN Subscriptions with ASPProtect. IPN stands for (Instant Payment Notification). It allows you to set up scripts on your server so whenever a PayPal payment is processed the PayPal server sends info to your server regarding the transaction and vice versa. This is a fully automated process and allows you to charge users for access by the month or however long you like.
The Subscription feature of PayPal handles recurring billing automatically. The PayPal server will communicate with the ASPProtect system and keep everything up to date with users and their subscriptions.
This Support Pack basically gives you an additional signup and registration directory "paypal_sub_signup" and it should not interfere with any changes or customizations you have made to your ASPProtect setup. New users can register in this directory and sign up for a subscription at the same time. Existing users whether active or expired can be sent to this directory where they can lookup their account and start a subscription. You can also assign various Access and Group Levels during signup and you can set up various prices for various amounts of time as well. This is a real-time setup for the most part. As soon as a user pays via PayPal your system is updated and they will have access.
To use this all you need to do in ASPProtect 7 is enter your PayPal account name into the settings screen. It will be an email address. You'll need a business or premier account with PayPal and you will need log into your PayPal account and turn on IPN in you profile. They make you enter a default IPN URL. We do not use that so if you already have something there leave it there. If you dont have something there you can type in any the full url to any page on your server. It's probably best to send it to an empty ".asp" page or something.
Changing Payment Options
In the "paypal1.asp" file there are some sample payment options set up.
They look like this and you can have as many as you like.
<!-- Begin Payment Option Code -->
<form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_blank">
<% Label = "Membership (1 Month) $9.99 Recurring" %>
<!-- Begin Form Fields You Can Edit.. See PayPal Subscription Manual For Details -->
<input type="hidden" name="no_shipping" value="1">
<input type="hidden" name="no_note" value="1">
<input type="hidden" name="a3" value="9.99">
<input type="hidden" name="p3" value="1">
<input type="hidden" name="t3" value="M">
<input type="hidden" name="src" value="1">
<input type="hidden" name="sra" value="1">
<!-- Field Below must have 2 commas First two values are optional (access level,groups,user ID)-->
<input type="hidden" name="custom" value=",,<% =User_ID %>">
<!-- End Form Fields You Can Edit.. See PayPal Subscription Manual For Details -->
<!--#INCLUDE FILE="form_data_inc.asp"-->
<input type="image" src="https://www.paypal.com/images/x-click-but20.gif" border="0" name="submit" alt="Make payments with PayPal - it's fast, free and secure!">
</form>
<hr>
<!-- End Payment Option Code -->
To really understand what these form values mean it is best to look through the PayPal Subscriptions Manual which is a PDF file you can get from the PayPal Site.
This link was valid the last I checked...
Subscriptions and Recurring Payments Manual
It also may be helpful to use their wizard to create some subscription buttons with different settings and then look at the code generated.
Bascially these are the important ones..
|
a3 - amount to billed each recurrence
t3 - time period (D=days, W=weeks, M=months, Y=years)
p3 - number of time periods between each recurrence |
The custom field is something we are using to send info from ASPProtect to PayPal.
it allows you to set the access_level or groups access (groups support require the ASPProtect Option Pack)
<input type="hidden" name="custom" value=",,<% =User_ID %>">
or this example where we are setting the access_level to (2) and also giving the user access to groups (3 and 4)
<input type="hidden" name="custom" value="2,*3*4*,<% =User_ID %>">
Here is how it works.
The value setting (red) is essentially and array that can be made up 3 elements separated by comma's
access_level,groups,User_ID
If you do not want to set the access_level or groups access.. then you don't even need to edit the setting.
Values must be separated by a comma even if there is no value and there can be no spaces. If you didn't want to set an access level or groups there would still be 2 commas at the beginning. etc etc
Basically there must always be 2 commas but you only have to set last values which is the User_ID from the ASPProtect system.
The 1st value is the access level you want to user assigned to.
The 2nd option is the groups you want the user assigned to. (requires option pack)
The 3rd option is the User_ID which the system takes care of. Do not edit this option. Leave it as <% =User_ID %>
cwilliams38421.7141782407,
Timecard Entry: 3/25/2006 4:55:19 PM
Traveled to Watertown office for meeting with channel 7, Section meeting w/Paul, Meet with St. Lawrence Chamber, Sent out an e-mail in response to AUQ e-mail. , Started balance sheet, tech calls, ask us a question..., Research on Cisco Products and pricing as per Randy., Posted account and did a detail of checks and cash for a bank deposit. Ans. phone, customer inquiries, credit card authorizations ., Checked online issues and anything else that needed to be done for the night, Set up meeting for Thursday with new Chamber officers at Alex Bay Chamber, Returned to Clayton- No Miles, meetings with Bill, Drew and Kris, *TaskForce: Exchange 2000 Development and Research, Putting desks together., sorted the mail, Yet more time on the phone w/ Don Davidson (a prospect), E-mail & timecards - Seth - database - steve CG - Graters - lien, ispcon, ispbf, CHRIS BYRNS UPLOAD PHOTOS AND ADD AUCTION PAGES AND LISTINGS FOR NEW AUCTIONS, found materials on Marketing on the web, printed out and placed on Chris desk, ticker admin, team meeting, voicemail, call backs, drove to watertown, fix madrid circuit by looping up the serial port. , phones, invoices, etc., s/w ef, scheduled times to review mbos for 4/5/00 and emailed. faxed him schedule and letter. s/w steve rose from oneonta. to email me list of banks and contacts and ids to partner with. s/w paul paige at bath ntl in hornell about bundle program and eds computers. talked to jw about distributor program. to review database of distributors and plan course of action, beginning with ecm systems in two weeks. (recor?) lm for jb about bundle receipt for sp. emailed kw at seneca about kathy sable. emailed new potential in vt., lunch, Enter bills, Training for Jeff-Lewis,
|
