|
Hi, I'm pretty new when it comes to dealing with javascript.
I have created a webpage that is a login page. All users must login in once to gain access to other pages.
If the user decides to jump the login and try to go straight to the pages, I have them autoforwarded back to the login page.
Only problem is, is that even when the user logs in and they have access to a page, that page then autoforwards them back to the login page. How do I stop this from happening?
I only want the user to login in once and gain access to the pages. I only want them autoforwarded back to the login page if they haven't logged in.
This is my autoforwarding method. Which is on each of the pages. It's a bit daft to have this on each page as it will always keep forwarding them from their current page:
<meta http-equiv="refresh" content="0; URL=http://...login.html">
[Note: I am using dreamweaver at the moment, and I am trying to create a javascript to solve this problem. It's not going well at the moment, as I'm not sure how to call a function from a html page to a javascript page.]
Anyone got any ideas or solutions? Any help you can give would be great.
Thanks in advance!
|
|
|
My first thought is that attempting to have authentication and security controlled only by client-side script is not very secure. All a person has to do is disable javascript and your scripts will stop running.
If you want a page to require authentication before you allow a user to view it, then you really need to do that server-side so the web server never even serves the protected page unless authentication has passed. Web servers have built in methods to password protect directories that you may be able to use -- depending on your hosting situation. Otherwise, you have ASP, PHP, or CGI scripting as your most common server-side scripting options.
If you really don't care about security, you could do an all-javascript, client-side system that appears to be secure. You'll want to look into setting and retrieving cookies. When a user logs in, set a temporary cookie indicating success and possibly a user ID if you want one. Then, each protected page should first check that cookie, and if not logged in, redirect to the login form. You'll use document.location = "login.html" instead of the META refresh trick. The problem is, though, you've already served the page. If your script fails (or the user disables script), the user already has your "protected" page!
|
|
|
|
|
Thanks for your quick reply. I found out yesturday on the net something about javascript and poor security. You have confirmed my suspicions. I'm scrapping the javascript plan.
Anyway, I have been thinking about asp sessions. If I were to change the login.html to login.asp and then include session variables, do you think that will work and do you think that will be secure?
Only problem is, I'm not really sure how to code session variable. :S
Thanks.
|
|
|
I don't know. I've never seen that error. When I search Google, I get a LOT of hits for that error with people wanting help. I found no answers! I did find a lot of references to the Apache httpd.conf file. Is your webserver Apache? Might be a place to investigate anyway. Sorry I can't help with that one.
Since you are in a learning process, I recommend working off your local workstation as a webserver. If you are running Windows, you can install IIS free--it's on the Windows XP cd. It's an additional Windows component you can add.
|
|
|
|
|
Night, don't forget to follow up here in the forum with your solution. Without feedback, your struggle won't be able to help future forum readers.
Thanks for using codetoad.com forums! :)
|
|
|
|
|
I would firstly like to thank you for your patience and help. Your guidence has helped me learn a lot about asp in a few days!
Therefore I will be rewarding you top marks, once I find the marking section. You can consider this as problem solved!
--------------------------------
NOTE:
I have however found a way of stopping the user going back to the protected pages once they have logged out. The way is to stop each protected page from being cached.
<% Response.CacheControl = "no-cache" %>'
<% Response.AddHeader "Pragma", "no-cache" %>
<% Response.Expires = -1 %>
I was lucky to find this coding at the time.
--------------------------------
Thanks again! :)
<Added>
Okay, how do you award marks?
|
|
|
There is not any kind of award or post rating system, so don't worry about that. Thanks for your kindness. I'm glad the cache control settings are working for you. I said there "was not much" you could do to stop the user from hitting the back button and seeing the previous member page even though logged out. In my experience, the cache control settings are not always followed by the client's browser--so you can't 100% depend on that. But they are designed for exactly this purpose, so use them. :)
|
|
|
|
|
|
|
|
|
|