1

I test for an empty session variable upon page load and if true request an AJAX function that invokes an include file, a hidden overlaid HTML login form with ASP script made visible through JS. This works as expected.

Upon form submission, I test for an empty password, an incorrect password and a correct password. This also works fine.

However, calling either JS or setting vbscript conditional variables to hide the overlaid form once these conditions are tested has no effect.

Clearing the cache by either navigating away and hitting F5 or simply doing such after entering and submitting the form clears the overlay and proves session variables have been set.

There are two issues here:-

  1. Why does the ASP page not refresh each time it is invoked? I test this by toggling a visible text line, saving the form, and then invoking the form through its submit button.

  2. Why do the embedded JS or ASP script variables have no effect. I test the JS with a console.log.

First the JS code:

function checkLogin() {
  var password = document.getElementById("password").value;
  var userID = document.getElementById("UserID").value;
  if (password != null) {
    if (window.XMLHttpRequest) {
      var xmlhttp = new XMLHttpRequest();
    } else {
      var xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
    }
    xmlhttp.onreadystatechange = function () {
      if (this.readyState == 4 && this.status == 200) {
        console.log("xxx: " + document.getElementById("session").value);

        if (document.getElementById("session").value == true) {
          document.getElementById("overlay").style.display = "none";
          document.getElementById("login").style.display = "none";
        }
        document.getElementById("password").innerHTML = password;
      }
    };
    xmlhttp.open("GET", "includes/checkpw.asp?u=" + userID + "&p=" + password);
    xmlhttp.send();
  }
}

And the include file:

<%
    response.expires = -1
    
    set conn = server.createobject("ADODB.connection")%>
    <!--- #include virtual=/includes/connpath.asp -->
    
    <%querySQL = "qryselUser"
    set recset = conn.execute(querySQL)
    if not recset.bof and not recset.eof then
        arrUser = recset.getrows
        countUser = ubound(arrUser,2)
    end if%>
    
    <%if Request.Form("formbtn") = "Cancel" then
        Session.Abandon
        conn.close()
        set conn = nothing
        Response.Redirect "default.asp"
    end if
    
    querySQL = "qryselUser"
    set recset = conn.execute(querySQL)
    if not recset.bof and not recset.eof then
        arrUser = recset.getrows
        countUser = ubound(arrUser,2)
    end if%>
    
    <%UserID = cint(request.querystring("u"))
    password = request.querystring("p")
    if password <> "" then
        querySQL = "qryselLogin'" & UserID & "'"
        set recset = conn.execute(querySQL)
        arrUser = recset.getrows
        recset.close
        set recset = nothing
        if UserID = arrUser(0,0) and password = arrUser(2,0) then
            session("id") = arrUser(0,0)
            session("level") = arrUser(3,0)
            session("lock") = arrUser(4,0)
            sessiontrue = true
            conn.close()
            set conn = nothing%>
        <%else
            userError = "Either Username or Password is incorrect"%>
            <script>console.log("Error")</script>
            <%querySQL = "qryselUser"
            set recset = conn.execute(querySQL)
            arrUser = recset.getrows
            countUser = ubound(arrUser,2)   
            recset.close
            set recset = nothing
        end if
    end if%>
    
    <form method="post" action="adminsite.asp" class="formblock" action="adminsite.asp">
        <h2>Login</h2>
        <input id="todo" name="todo" type="hidden" value="login" />
        <input id="session" name="session" type="hidden" value="<%=sessiontrue%>" />
        <label for="UserID">Username</label>
        <select name="UserID" id="UserID" onkeypress="return nextfield('password')">
            <%for m = 0 to countUser%>
                <option value="<%=arrUser(0,m)%>"<%if UserID = arrUser(0,m) then%> selected='selected'<%end if%>><%=arrUser(1,m)%></option>
            <%next%>
        </select><br />
        <label for="password">Password</label><input id="password" name="password" value="<%=password%>" onkeypress="return nextfield('formbtn')" type="password" maxlength="50" size="20" autocomplete="on" />
        <a class="showpw" id="showpw" onclick="showLoginPw();">Show Password</a><br />
        <%if userError <> "" then%>
            <span class="warn"><%=userError%></span>
            <span class="forgot">Forgot password? <a href="forgotpassword.asp" target="_blank">Request a new one</a>.</span>
        <%end if%>
        <input type="button" onclick="checkLogin();checkSession();" value="Login" class="formbtn" name="formbtn" id="formbtn" />
    <!--        <a class="formbtn" onclick="" target="checkLogin">Login</a>-->
        <input type="submit" value="Cancel" class="formbtn" name="formbtn" name="formcancel" id="formcancel" />
    <%if session("id") <> "" then%>
            <script>
            document.getElementById('overlay').style.display='none';
            document.getElementById('login').style.display='none';
            </script>
    <%end if%>
    </form>
    <%if session("id")<>"" then
        response.Write "<p>xxx: "& userError &"</p>"
    end if%>

I am stumped. and I clearly do not know what I am doing, hence requesting help.

Flakes
  • 2,422
  • 8
  • 28
  • 32
Mike Pepper
  • 31
  • 2
  • The asp code shown, is that the page being called in the ajax call? Or is the shown JavaScript and asp in the same page? Your referring to an "included file" is a bit confusing. – Flakes Jul 23 '20 at 10:55
  • You realise that passing the `password` as a querystring it will be displayed in the browser and will also get logged in the website log files? This practice is frowned upon and can be seen as a security risk. – user692942 Jul 23 '20 at 14:31
  • 1
    Yes, the ajax call invokes asp the file, which itself is an include file in the main page body. As you rightly point out using a querystring is dumb. I have changed the xmlhttp to a post request and updated the code appropriately in the asp file. – Mike Pepper Jul 24 '20 at 07:14

1 Answers1

-1

Add a date and time to make the query unique each time.

xmlhttp.open("GET","includes/checkpw.asp?u="+userID+"&p="+password+now());

Abbey
  • 1
  • 2
  • Would not recommend this (especially concatenated directly on to the end of the password). Should use the `setRequestHeader()` to set the cache-control headers. – user692942 Jul 23 '20 at 14:33
  • I have included request headers for Content-Type (which I overlooked) and a contrived date stamp - Request-Date - with Date.now() as the value. – Mike Pepper Jul 24 '20 at 07:20
  • And further added the Cache-Control header with a max-age of 0. However, with all the above adjustments, I still cannot get the JS to trigger when both UserID and password are correctly entered. As mentioned above, forcing a page refresh shows the session variables to have been set since the login overlay does not appear. – Mike Pepper Jul 24 '20 at 07:51
  • 1
    Incidentally, the purpose of the overlay login as opposed to what I originally had, a redirect to a dedicated login form that worked fine, is to intercept form submission with a lapsed session, reset the session vars then submit the form. – Mike Pepper Jul 24 '20 at 08:00
  • @mikepepper You might need to rethink this, especially the way ajax works. I don't think you can access the page values from the ajax request. – Flakes Jul 26 '20 at 07:25