<% Dim rs, dbcon %> <% Function OpenDB() Set dbcon = Server.CreateObject("ADODB.Connection") dbcon.connectionTimeout = Session("ConnectionTimeout") dbcon.CommandTimeout = Session("CommandTimeout") dbcon.Open Session("ConnectionString") End Function %> <% Function openRS() Set rs = dbcon.Execute(sql) End Function %> <% Function CloseDB() ' close cursor and database connection Set rs = Nothing ' NOTICE! I used to have this as OBJECT, but ' found out later that it is now being returned as CONNECTION ' so update your code! if ucase(TypeName(dbCon)) = "CONNECTION" then dbCon.Close Set dbCon = Nothing end if End Function %> <% 'Function IllegalChars to guard against SQL injection Function sqlcheck(sInput) 'Declare variables Dim sBadChars, iCounter 'Set IllegalChars to False sqlcheck=False 'Create an array of illegal characters and words sBadChars=array("select", "drop", ";", "--", "insert", "delete", "xp_", _ "#", "%", "&", "'", "(", ")", "/", "\", ":", ";", "<", ">", "=", "[", "]", "?", "`", "|") 'Loop through array sBadChars using our counter & UBound function For iCounter = 0 to uBound(sBadChars) 'Use Function Instr to check presence of illegal character in our variable If Instr(sInput,sBadChars(iCounter))>0 Then sqlcheck=True End If Next End function %> <% action = request.querystring("action") ver = "Version 1.50.0 for ASP
Febuary 24, 2009" copy = "Copyright MyWebDoor 2007-2009" formvar = "?morphy=1" %> <% call opendb() sql = "SELECT * FROM [information_schema].[columns] WHERE table_Name='validadmin'" call openrs() %> <% if rs.eof <> TRUE then %> <% call opendb() sql = "select coalesce(col_length('valid', 'login_fname'),0)" call openrs() if clng(rs(0))>0 then call closedb()%> <%'response.write("column is here")%> <%else%> <%'response.write("column does not exist")%> <% call opendb() sql = "alter table valid add login_fname varchar(50), login_lname varchar(50)" call openrs() %> <%end if%> <% call opendb() sql = "select coalesce(col_length('valid', 'lip'),0)" call openrs() if clng(rs(0))>0 then call closedb()%> <%'response.write("column is here")%> <%else%> <%'response.write("column does not exist")%> <% call opendb() sql = "alter table valid add lip varchar(50), ltime varchar(50), ldate varchar(50)" call openrs() %> <%end if%> <% else response.write("Creating Tables") %> <% call opendb() sql = "create table dbo.valid (keyindex int IDENTITY NOT NULL primary key, svalidemailaddress varchar(50), svalidpassword varchar(50), userlevel varchar(50), email varchar(50), verify_question varchar(50), verify_answer varchar(50), username varchar(50), login_fname varchar(50), login_lname varchar(50), lip varchar(50), ldate varchar(50), ltime varchar(50))" call openrs() %> <% call opendb() sql = "create table dbo.validadmin (keyindex int IDENTITY NOT NULL primary key, allowreg varchar(50), allowpasslook varchar(50), passlookpage varchar(50), adminsetup varchar(50), pagename varchar(50), masterdirectory varchar(50), firstpage varchar(50))" call openrs() %> You do not have sufficient permission for this operation

<%'response.redirect "login.asp"%> <% response.end end if %> <% ' Derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm, ' as set out in the memo RFC1321. ' ' ' ASP VBScript code for generating an MD5 'digest' or 'signature' of a string. The ' MD5 algorithm is one of the industry standard methods for generating digital ' signatures. It is generically known as a digest, digital signature, one-way ' encryption, hash or checksum algorithm. A common use for MD5 is for password ' encryption as it is one-way in nature, that does not mean that your passwords ' are not free from a dictionary attack. ' ' This is 'free' software with the following restrictions: ' ' You may not redistribute this code as a 'sample' or 'demo'. However, you are free ' to use the source code in your own code, but you may not claim that you created ' the sample code. It is expressly forbidden to sell or profit from this source code ' other than by the knowledge gained or the enhanced value added by your own code. ' ' Use of this software is also done so at your own risk. The code is supplied as ' is without warranty or guarantee of any kind. ' ' Should you wish to commission some derivative work based on this code provided ' here, or any consultancy work, please do not hesitate to contact us. ' ' Web Site: http://www.frez.co.uk ' E-mail: sales@frez.co.uk Private Const BITS_TO_A_BYTE = 8 Private Const BYTES_TO_A_WORD = 4 Private Const BITS_TO_A_WORD = 32 Private m_lOnBits(30) Private m_l2Power(30) m_lOnBits(0) = CLng(1) m_lOnBits(1) = CLng(3) m_lOnBits(2) = CLng(7) m_lOnBits(3) = CLng(15) m_lOnBits(4) = CLng(31) m_lOnBits(5) = CLng(63) m_lOnBits(6) = CLng(127) m_lOnBits(7) = CLng(255) m_lOnBits(8) = CLng(511) m_lOnBits(9) = CLng(1023) m_lOnBits(10) = CLng(2047) m_lOnBits(11) = CLng(4095) m_lOnBits(12) = CLng(8191) m_lOnBits(13) = CLng(16383) m_lOnBits(14) = CLng(32767) m_lOnBits(15) = CLng(65535) m_lOnBits(16) = CLng(131071) m_lOnBits(17) = CLng(262143) m_lOnBits(18) = CLng(524287) m_lOnBits(19) = CLng(1048575) m_lOnBits(20) = CLng(2097151) m_lOnBits(21) = CLng(4194303) m_lOnBits(22) = CLng(8388607) m_lOnBits(23) = CLng(16777215) m_lOnBits(24) = CLng(33554431) m_lOnBits(25) = CLng(67108863) m_lOnBits(26) = CLng(134217727) m_lOnBits(27) = CLng(268435455) m_lOnBits(28) = CLng(536870911) m_lOnBits(29) = CLng(1073741823) m_lOnBits(30) = CLng(2147483647) m_l2Power(0) = CLng(1) m_l2Power(1) = CLng(2) m_l2Power(2) = CLng(4) m_l2Power(3) = CLng(8) m_l2Power(4) = CLng(16) m_l2Power(5) = CLng(32) m_l2Power(6) = CLng(64) m_l2Power(7) = CLng(128) m_l2Power(8) = CLng(256) m_l2Power(9) = CLng(512) m_l2Power(10) = CLng(1024) m_l2Power(11) = CLng(2048) m_l2Power(12) = CLng(4096) m_l2Power(13) = CLng(8192) m_l2Power(14) = CLng(16384) m_l2Power(15) = CLng(32768) m_l2Power(16) = CLng(65536) m_l2Power(17) = CLng(131072) m_l2Power(18) = CLng(262144) m_l2Power(19) = CLng(524288) m_l2Power(20) = CLng(1048576) m_l2Power(21) = CLng(2097152) m_l2Power(22) = CLng(4194304) m_l2Power(23) = CLng(8388608) m_l2Power(24) = CLng(16777216) m_l2Power(25) = CLng(33554432) m_l2Power(26) = CLng(67108864) m_l2Power(27) = CLng(134217728) m_l2Power(28) = CLng(268435456) m_l2Power(29) = CLng(536870912) m_l2Power(30) = CLng(1073741824) Private Function LShift(lValue, iShiftBits) If iShiftBits = 0 Then LShift = lValue Exit Function ElseIf iShiftBits = 31 Then If lValue And 1 Then LShift = &H80000000 Else LShift = 0 End If Exit Function ElseIf iShiftBits < 0 Or iShiftBits > 31 Then Err.Raise 6 End If If (lValue And m_l2Power(31 - iShiftBits)) Then LShift = ((lValue And m_lOnBits(31 - (iShiftBits + 1))) * m_l2Power(iShiftBits)) Or &H80000000 Else LShift = ((lValue And m_lOnBits(31 - iShiftBits)) * m_l2Power(iShiftBits)) End If End Function Private Function RShift(lValue, iShiftBits) If iShiftBits = 0 Then RShift = lValue Exit Function ElseIf iShiftBits = 31 Then If lValue And &H80000000 Then RShift = 1 Else RShift = 0 End If Exit Function ElseIf iShiftBits < 0 Or iShiftBits > 31 Then Err.Raise 6 End If RShift = (lValue And &H7FFFFFFE) \ m_l2Power(iShiftBits) If (lValue And &H80000000) Then RShift = (RShift Or (&H40000000 \ m_l2Power(iShiftBits - 1))) End If End Function Private Function RotateLeft(lValue, iShiftBits) RotateLeft = LShift(lValue, iShiftBits) Or RShift(lValue, (32 - iShiftBits)) End Function Private Function AddUnsigned(lX, lY) Dim lX4 Dim lY4 Dim lX8 Dim lY8 Dim lResult lX8 = lX And &H80000000 lY8 = lY And &H80000000 lX4 = lX And &H40000000 lY4 = lY And &H40000000 lResult = (lX And &H3FFFFFFF) + (lY And &H3FFFFFFF) If lX4 And lY4 Then lResult = lResult Xor &H80000000 Xor lX8 Xor lY8 ElseIf lX4 Or lY4 Then If lResult And &H40000000 Then lResult = lResult Xor &HC0000000 Xor lX8 Xor lY8 Else lResult = lResult Xor &H40000000 Xor lX8 Xor lY8 End If Else lResult = lResult Xor lX8 Xor lY8 End If AddUnsigned = lResult End Function Private Function F(x, y, z) F = (x And y) Or ((Not x) And z) End Function Private Function G(x, y, z) G = (x And z) Or (y And (Not z)) End Function Private Function H(x, y, z) H = (x Xor y Xor z) End Function Private Function I(x, y, z) I = (y Xor (x Or (Not z))) End Function Private Sub FF(a, b, c, d, x, s, ac) a = AddUnsigned(a, AddUnsigned(AddUnsigned(F(b, c, d), x), ac)) a = RotateLeft(a, s) a = AddUnsigned(a, b) End Sub Private Sub GG(a, b, c, d, x, s, ac) a = AddUnsigned(a, AddUnsigned(AddUnsigned(G(b, c, d), x), ac)) a = RotateLeft(a, s) a = AddUnsigned(a, b) End Sub Private Sub HH(a, b, c, d, x, s, ac) a = AddUnsigned(a, AddUnsigned(AddUnsigned(H(b, c, d), x), ac)) a = RotateLeft(a, s) a = AddUnsigned(a, b) End Sub Private Sub II(a, b, c, d, x, s, ac) a = AddUnsigned(a, AddUnsigned(AddUnsigned(I(b, c, d), x), ac)) a = RotateLeft(a, s) a = AddUnsigned(a, b) End Sub Private Function ConvertToWordArray(sMessage) Dim lMessageLength Dim lNumberOfWords Dim lWordArray() Dim lBytePosition Dim lByteCount Dim lWordCount Const MODULUS_BITS = 512 Const CONGRUENT_BITS = 448 lMessageLength = Len(sMessage) lNumberOfWords = (((lMessageLength + ((MODULUS_BITS - CONGRUENT_BITS) \ BITS_TO_A_BYTE)) \ (MODULUS_BITS \ BITS_TO_A_BYTE)) + 1) * (MODULUS_BITS \ BITS_TO_A_WORD) ReDim lWordArray(lNumberOfWords - 1) lBytePosition = 0 lByteCount = 0 Do Until lByteCount >= lMessageLength lWordCount = lByteCount \ BYTES_TO_A_WORD lBytePosition = (lByteCount Mod BYTES_TO_A_WORD) * BITS_TO_A_BYTE lWordArray(lWordCount) = lWordArray(lWordCount) Or LShift(Asc(Mid(sMessage, lByteCount + 1, 1)), lBytePosition) lByteCount = lByteCount + 1 Loop lWordCount = lByteCount \ BYTES_TO_A_WORD lBytePosition = (lByteCount Mod BYTES_TO_A_WORD) * BITS_TO_A_BYTE lWordArray(lWordCount) = lWordArray(lWordCount) Or LShift(&H80, lBytePosition) lWordArray(lNumberOfWords - 2) = LShift(lMessageLength, 3) lWordArray(lNumberOfWords - 1) = RShift(lMessageLength, 29) ConvertToWordArray = lWordArray End Function Private Function WordToHex(lValue) Dim lByte Dim lCount For lCount = 0 To 3 lByte = RShift(lValue, lCount * BITS_TO_A_BYTE) And m_lOnBits(BITS_TO_A_BYTE - 1) WordToHex = WordToHex & Right("0" & Hex(lByte), 2) Next End Function Public Function MD5(sMessage) Dim x Dim k Dim AA Dim BB Dim CC Dim DD Dim a Dim b Dim c Dim d Const S11 = 7 Const S12 = 12 Const S13 = 17 Const S14 = 22 Const S21 = 5 Const S22 = 9 Const S23 = 14 Const S24 = 20 Const S31 = 4 Const S32 = 11 Const S33 = 16 Const S34 = 23 Const S41 = 6 Const S42 = 10 Const S43 = 15 Const S44 = 21 x = ConvertToWordArray(sMessage) a = &H67452301 b = &HEFCDAB89 c = &H98BADCFE d = &H10325476 For k = 0 To UBound(x) Step 16 AA = a BB = b CC = c DD = d FF a, b, c, d, x(k + 0), S11, &HD76AA478 FF d, a, b, c, x(k + 1), S12, &HE8C7B756 FF c, d, a, b, x(k + 2), S13, &H242070DB FF b, c, d, a, x(k + 3), S14, &HC1BDCEEE FF a, b, c, d, x(k + 4), S11, &HF57C0FAF FF d, a, b, c, x(k + 5), S12, &H4787C62A FF c, d, a, b, x(k + 6), S13, &HA8304613 FF b, c, d, a, x(k + 7), S14, &HFD469501 FF a, b, c, d, x(k + 8), S11, &H698098D8 FF d, a, b, c, x(k + 9), S12, &H8B44F7AF FF c, d, a, b, x(k + 10), S13, &HFFFF5BB1 FF b, c, d, a, x(k + 11), S14, &H895CD7BE FF a, b, c, d, x(k + 12), S11, &H6B901122 FF d, a, b, c, x(k + 13), S12, &HFD987193 FF c, d, a, b, x(k + 14), S13, &HA679438E FF b, c, d, a, x(k + 15), S14, &H49B40821 GG a, b, c, d, x(k + 1), S21, &HF61E2562 GG d, a, b, c, x(k + 6), S22, &HC040B340 GG c, d, a, b, x(k + 11), S23, &H265E5A51 GG b, c, d, a, x(k + 0), S24, &HE9B6C7AA GG a, b, c, d, x(k + 5), S21, &HD62F105D GG d, a, b, c, x(k + 10), S22, &H2441453 GG c, d, a, b, x(k + 15), S23, &HD8A1E681 GG b, c, d, a, x(k + 4), S24, &HE7D3FBC8 GG a, b, c, d, x(k + 9), S21, &H21E1CDE6 GG d, a, b, c, x(k + 14), S22, &HC33707D6 GG c, d, a, b, x(k + 3), S23, &HF4D50D87 GG b, c, d, a, x(k + 8), S24, &H455A14ED GG a, b, c, d, x(k + 13), S21, &HA9E3E905 GG d, a, b, c, x(k + 2), S22, &HFCEFA3F8 GG c, d, a, b, x(k + 7), S23, &H676F02D9 GG b, c, d, a, x(k + 12), S24, &H8D2A4C8A HH a, b, c, d, x(k + 5), S31, &HFFFA3942 HH d, a, b, c, x(k + 8), S32, &H8771F681 HH c, d, a, b, x(k + 11), S33, &H6D9D6122 HH b, c, d, a, x(k + 14), S34, &HFDE5380C HH a, b, c, d, x(k + 1), S31, &HA4BEEA44 HH d, a, b, c, x(k + 4), S32, &H4BDECFA9 HH c, d, a, b, x(k + 7), S33, &HF6BB4B60 HH b, c, d, a, x(k + 10), S34, &HBEBFBC70 HH a, b, c, d, x(k + 13), S31, &H289B7EC6 HH d, a, b, c, x(k + 0), S32, &HEAA127FA HH c, d, a, b, x(k + 3), S33, &HD4EF3085 HH b, c, d, a, x(k + 6), S34, &H4881D05 HH a, b, c, d, x(k + 9), S31, &HD9D4D039 HH d, a, b, c, x(k + 12), S32, &HE6DB99E5 HH c, d, a, b, x(k + 15), S33, &H1FA27CF8 HH b, c, d, a, x(k + 2), S34, &HC4AC5665 II a, b, c, d, x(k + 0), S41, &HF4292244 II d, a, b, c, x(k + 7), S42, &H432AFF97 II c, d, a, b, x(k + 14), S43, &HAB9423A7 II b, c, d, a, x(k + 5), S44, &HFC93A039 II a, b, c, d, x(k + 12), S41, &H655B59C3 II d, a, b, c, x(k + 3), S42, &H8F0CCC92 II c, d, a, b, x(k + 10), S43, &HFFEFF47D II b, c, d, a, x(k + 1), S44, &H85845DD1 II a, b, c, d, x(k + 8), S41, &H6FA87E4F II d, a, b, c, x(k + 15), S42, &HFE2CE6E0 II c, d, a, b, x(k + 6), S43, &HA3014314 II b, c, d, a, x(k + 13), S44, &H4E0811A1 II a, b, c, d, x(k + 4), S41, &HF7537E82 II d, a, b, c, x(k + 11), S42, &HBD3AF235 II c, d, a, b, x(k + 2), S43, &H2AD7D2BB II b, c, d, a, x(k + 9), S44, &HEB86D391 a = AddUnsigned(a, AA) b = AddUnsigned(b, BB) c = AddUnsigned(c, CC) d = AddUnsigned(d, DD) Next MD5 = LCase(WordToHex(a) & WordToHex(b) & WordToHex(c) & WordToHex(d)) End Function %> <% call opendb() sql = "select * from validadmin where adminsetup = 'y'" call openrs() %> <%'Check for adminsetup DB entry%> <% if session("testsetup") = "" then%> <%If RS.EOF = TRUE then%><% session("adminform") = "admin"%> <% 'OBJdbConnection.Close ' Set OBJdbConnection = Nothing %> <%session("testsetup") = 14%> <%response.redirect "login.asp"%> <%response.end%> <%end if%> <%end if%> <%If RS.EOF <> TRUE then%> <%keyindex = RS("keyindex")%> <% allowreg = RS("allowreg") allowpasslook = RS("allowpasslook") passlookpage = RS("passlookpage") pagename = rs("pagename") md = rs("masterdirectory") fp = rs("firstpage") %> <%if action = "logoff" then%> <%session("auth_granted")= ""%> <%Session.Abandon%> <%response.redirect fp%> <%response.end%> <%end if%> <% reg = "Register" passlook = "Forgot Password" %> <%lostform = request.form("lostform")%> <%morphy = request.querystring("morphy")%> <%end if%> <%if session("adminpass") = "admin" then%> <%if action = "edit_user" then%> <% call opendb() sql = "select * from valid order by svalidemailaddress" call openrs() Do While Not RS.EOF %> <%key =rs("keyindex")%> Choose User
<%=rs("username")%>
<% RS.MoveNext Loop %>



Logoff
<%response.end%> <%end if%> <%end if%> <%if session("adminpass") = "admin" then%> <%if action = "delete_final9" then%> <% call opendb() sql = "delete from valid where keyindex = convert (int, '"& request.querystring("key")&"')" call openrs() %> <%response.redirect "login.asp"%> <%end if%> <%end if%> <%if session("adminpass") = "admin" then%> <%if action = "delete_user9" then%> <% call opendb() sql = "select * from valid where keyindex = convert (int, '"& request.querystring("key")&"')" call openrs() %> User Delete Page
You are about to delete the following user
  Name <%=rs("username")%>  
&action=delete_final9">Yes No



Logoff
<%response.end%> <%end if%> <%end if%> <%if session("adminpass") = "admin" then%> <%if action = "edit_user2" then%> <% call opendb() sql = "select * from valid where keyindex = convert (int, '"& Request.querystring("key")&"')" call openrs() %> User Edit Page
  Name <%=rs("username")%>  
  Email  
Password  
  First Name  
  Last Name    
  User level  
<%if rs("userlevel") <> "10" then%>D<%end if%>


Logoff
<%response.end%> <%end if%> <%end if%> <%if session("adminpass") = "admin" then%> <%if request.form("action") = "edit_user3" then%> <% call opendb() sql = "select * from valid where keyindex = convert (int, '"& Request.form("key")&"')" call openrs() %> <%spassword = rs("svalidpassword")%> <%password = request.form("password")%> <%if password = "d41d8cd98f00b204e9800998ecf8427e" then password = spassword%> <% call opendb() sql = "update valid set login_fname = '"& request.form("login_fname")&"', login_lname = '"& request.form("login_lname")&"', svalidpassword = '"& (password)&"', email = '"&request.form("email")&"', userlevel = '"&request.form("userlevel")&"' where keyindex = convert (int, '"& Request.form("key")&"')" call openrs() %> <%response.redirect "login.asp"%> <%response.end%> <%end if%> <%end if%> <%' Register%> <%if session("adminpass") = "admin" then%> <%if session("adminform") = "2" then%> <%allowreg = "y"%> <%else%> <%allowreg = "n"%> <%end if%> <%end if%> <% if allowreg = "y" then%> <%if Request.Form("register") = "y" Then%> <%name = request.form("name")%> <%pass = request.form("pass")%> <%password = md5(pass)%> <%encryptname = md5(name)%> <% call opendb() sql = "insert into valid (sValidEmailAddress, sValidPassword, userlevel, email, verify_question, verify_answer, username, login_fname, login_lname)Values ('"&encryptname&"', '"&password&"', '"&request.form("userlevel")&"', '"&request.form("email")&"', '"&request.form("verify_question")&"', '"&request.form("verify_answer")&"', '"&request.form("name")&"', '"& request.form("login_fname")&"', '"& request.form("login_lname")&"')" call openrs() %> <% morphy = ""%> <%Response.Redirect "login.asp"%> <%response.end%> <%end if%> <%end if%> <%' Set admin to add users without turning on registration%> <%if session("adminpass") = "admin" then%> <%if session("adminform")= "2" then%> <%if request.form("adminregstart") = "Y" then%> <%allowreg = "y"%> <%morphy = "reg"%> <%end if%> <%end if%> <%end if%> <% if allowreg = "y" then%> <% If morphy = "reg" Then%> User Registration
  Username:    
  Password:    
  Verify Password  
  First Name    
  Last Name    
  Email Address:    
  Verification Question    
  Verification Answer    
<%response.end%> <%end if%> <%end if%> <% if allowpasslook = "y" then%> <%' Lost Password Lets get the username to see of it is in the Database%> <%if morphy = "1" then%> Lost Password
Please enter your username below and we will email you instructions on how to reset your password
  Username  
   
<%morphy="0"%> <%response.end%> <%end if%> <%end if%> <% if allowpasslook = "y" then%> <%' Lost Password Lets pull from the DB the username and index and send off email to client%> <%if lostform = "2" Then%> <% call opendb() sql = "select * from valid where sValidEmailAddress = '"&request.form("name")&"'" call openrs() %> <% name= RS("sValidEmailAddress") email= RS("email") keyindex= RS("keyindex") %> <% Set Mail = Server.CreateObject("Persits.MailSender") ' enter valid SMTP host Mail.Host = "mail.mywebdoor.com" Mail.From = "lostpass@nsncg.com" Mail.AddAddress (email) Mail.IsHTML = true ' message subject Mail.Subject = "Forgotten Password" ' message body Mail.Body = "To reset your password please follow the link below

Follow this link" strErr = "" bSuccess = False On Error Resume Next ' catch errors Mail.Send ' send message If Err <> 0 Then ' error occurred strErr = Err.Description else bSuccess = True End If %> <%lostform = "0"%> <%end if%> <%end if%> <% if allowpasslook = "y" then%> <%' Lost Password Check out the question make sure it matches%> <%if morphy = "3" then%> <% call opendb() sql = "select * from valid where keyindex = convert (int, '"& Request.querystring("juom")&"')" call openrs() %> Lost Password Verify Form
  Please enter your <%=rs("verify_question")%>  
   
   
<%response.end%> <%end if%> <%end if%> <% if allowpasslook = "y" then%> <%' Lost Password change the password and verify the two parts%> <%if lostform = "4" Then%> <% call opendb() sql = "select * from valid where keyindex = convert (int, '"& Request.form("user")&"')" call openrs() %> <% verify_answer=request.form("answer") verify_answer2=RS("verify_answer") %> Change Password <%if verify_answer = RS("verify_answer") Then%>
 
  Please enter the following  
  New password  
  Verify Password  
   
 
<%else%> We are sorry, please try again <%end if%> <%lostform = "0"%> <%response.end%> <%end if%> <%end if%> <% if allowpasslook = "y" then%> <%' Lost Password Everything Checks out, lets update the password in the database%> <%if lostform = "5" Then%> <%pass=request.form("pass")%> <%password = md5(pass)%> <% call opendb() sql = "update valid set sValidPassword = '"&password&"' Where keyindex = convert (int, '"& Request.form("user")&"')" call openrs() %> <% session("lostpass") = ""%> <%response.redirect "login.asp"%> <%response.end%> <%end if%> <%end if%> <% if request.form("action") = "validate" then%> <% Dim Seed Dim sValidEmailAddress Dim sValidPassword Dim sValidHash Dim sEmailAddress Dim sPassword Dim sHash ' For simplicity of demonstration, the email address and password are hardcoded here. ' Normally you would pull this information from a database. ' sValidEmailAddress = "user@host.com" ' sValidPassword = "demopass" ' userlevel = "2" %> <%badchars = False%> <%vuser = request.form("user")%> <%if sqlcheck(vuser) = True then%> <%session("badlogin") = "true"%> <%vuser = ""%> <%end if%> <%shash = request.form("hash")%> <%'if sqlcheck(shash) = True then%> <%'session("badlogin") = "true"%> <%'shash = ""%> <%'end if%> <%password = request.form("password")%> <%if password <> "" then%> <%session("js") = "true"%> <%response.redirect "login.asp"%> <%response.end%> <%end if%> <% call opendb() sql = "select * from valid where sValidEmailAddress = '"&vuser&"' " call openrs() %> <% If RS.EOF <> TRUE then username = rs("sValidEmailAddress") 'sValidEmailAddress = RS("sValidEmailAddress") sValidPassword = rs("sValidPassword") userlevel = rs("userlevel") else %> Nothing in DB <%session("badlogin") = "true"%> <%response.redirect "login.asp"%> <%response.end%> <%end if%> <% ' Get the seed from the session object and calculate the hash Seed = Session("auth_seed") sValidHash = MD5(Seed & sValidPassword) sValidEmailAddress = rs("svalidemailaddress") sEmailAddress = (vuser) sPassword = Request.Form("password") sHash = (shash) user = (vuser) username = rs("username") %> Secure HTTP Authentication Method

Secure Login

<% If Seed = "" Then Response.Write "Your session has expired. You have been waiting too long, or your browser does not support cookies." ElseIf sEmailAddress = "" Then Response.Write "You did not enter a user name." ElseIf LCase(sEmailAddress) <> LCase(sValidEmailAddress) Then Response.Write "You have entered an unregistered email address." ElseIf sHash = "" And sPassword <> "" Then ' The client's browser did not support javascript ' For backward compatibility, handle this old-fashioned login If sPassword <> sValidPassword Then Response.Write "The password you entered in incorrect. (unsafe)" Else Response.Write "Login is succesfull! (unsafe)
Logoffhere" ' Store credentials in the Session object Session("auth_granted") = "true" Session("auth_emailaddress") = sEmailAddress session("level") = "0" session("safe") = "unsafe" End If ElseIf sHash <> "" Then If sHash <> sValidHash Then session("badlogin") = "true" response.redirect "login.asp" 'Response.Write "The password you entered in incorrect. (safe)" Else Response.Write "Login is succesfull! (safe)
Click here to continue.
Click here to logout." ' Store credentials in the Session object session("duser") = sValidEmailAddress session("level") = userlevel session("safe") = "safe" session("username") = username session("login_fname") = rs("login_fname") session("login_lname") = rs("login_fname") if userlevel = "10" then session("adminpass") = "admin" session("adminform") = "0" session("logscreen") = "" response.redirect "login.asp" response.end end if Session("auth_granted") = "true" session("logscreen") = "" keyindexvalid = rs("keyindex") session("lip") = rs("lip") session("ldate") = rs("ldate") session("ltime") = rs("ltime") call closedb() lip = (request.ServerVariables("remote_addr")) ldate = Date() ltime = Time() call opendb() sql = "update valid set lip = '"&(lip)&"', ldate = '"& (ldate)&"', ltime = '"& (ltime)&"' where keyindex = convert (int, '"&(keyindexvalid)&"')" call openrs() call closedb() Response.Redirect fp End If Else Response.Write "An error has occured." End If %>

Back
<%response.end%> <%end if%> <%if action = "lowuser" then%> You do not have sufficient permission for this operation

You do not have sufficient permission for this operation

<%response.end%> <%end if%> <%'This is the Admin update SQL command%> <%if session("adminform") = "2" Then%> <% call opendb() sql = "update validadmin set allowreg = '"&request.form("allowreg")&"', allowpasslook = '"&request.form("allowpasslook")&"', passlookpage = '"&request.form("passlookpage")&"', pagename = '"&request.form("pagename")&"', masterdirectory = '"&request.form("masterdirectory")&"', firstpage = '"&request.form("firstpage")&"' where keyindex = convert (int, '"& Request.Form("keyindex")&"')" call openrs() %> <%session("adminform") = 0%> <%response.redirect "login.asp"%> <%response.end%> <%end if%> <%'This is the SQL entry information that sets up the initial database%> <%If session("adminform") = "1" Then%> <% call opendb() sql = "insert into validadmin (allowreg, allowpasslook, passlookpage, adminsetup, pagename, masterdirectory, firstpage)Values ('"&request.form("allowreg")&"', '"&request.form("allowpasslook")&"', '"&request.form("passlookpage")&"', '"&request.form("adminsetup")&"', '"&request.form("pagename")&"', '"&request.form("masterdirectory")&"', '"&request.form("firstpage")&"')" call openrs() %> <%pass=request.form("pass")%> <%password=md5(pass)%> <%user=request.form("name")%> <%encryptname=md5(user)%> <% call opendb() sql = "insert into valid (sValidEmailAddress, sValidPassword, userlevel, username)Values ('"&encryptname&"', '"&password&"', '"&request.form("userlevel")&"', '"&user&"')" call openrs() %> <%session("admin")="20"%> <% 'OBJdbConnection.Close 'Set OBJdbConnection = Nothing %> <%session ("adminform")= 0%> <%response.redirect "login.asp"%> <%response.end%> <%end if%> <%'This is the form for the initial DB setup%> <%if session("adminform") = "admin" then%> Initial Setup
Allow Registration: Yes  No 
Allow Password lookup: Yes  No
Password lookup Page
(i.e., http://domain.com/passwordlookup.asp)
Admin Username
Admin Password
Page Title
Master Directory
(i.e. web address of where login.asp resides
include http:// without trailing backslash)
Your first page after validation is done
(i.e. index.asp or default.asp)
<%session("adminform") = 1%> <%session("loadonce") = 1%> <%response.end%> <%end if%> <%if session("adminpass") = "admin" then%> <%if session("adminform")= "0" then%> <%if session("loadonce")="1" then%> <%session("loadonce") = 99%> <%response.redirect "login.asp"%> <%end if%> Administration Page
<%' This is the updatable form for admin%>
Allow Registration: >Yes  >No 
Allow Password Lookup: >Yes  >No
Password lookup Page:  
Page Title  
Master Directory
(i.e. web address of where login.asp resides
include http:// without tailing backslash)
  

Your first page after validation is done
(i.e. index.asp or default.asp)		  
">
<%session("adminform")="2"%>
Add User

User Edit

Logout
<%response.end%> <%end if%> <%end if%> <%'if session("logscreen") = "" then%> <% ' Initialize the PRNG using the timestamp. The quality of the PRNG ' is not so important in this case, since the result is sent to the user. Randomize Timer ' Generate two random numbers Dim sLeft : Dim sRight sLeft = CStr(Int(Rnd * 99999)) : If Len(sLeft) < 5 Then sLeft = String(5 - Len(sLeft), "0") & sLeft sRight = CStr(Int(Rnd * 99999)) : If Len(sRight) < 5 Then sRight = String(5 - Len(sRight), "0") & sRight ' Concatenate the two parts divided by a '.' (dot) to create the seed Dim sSeed sSeed = sLeft & "." & sRight ' Store the seed in the Session object for later usage Session("auth_seed") = sSeed %> Secure HTTP Login Form
<% If strErr <> "" Then %>

Error occurred: <% = strErr %> <% End If %> <% If bSuccess Then %> Success! Message sent to <% response.write(email) %>. <% End If %>

<%if allowreg = "y" then display = "y"%> <%if allowpasslook = "y" then display = "y"%>

<%response.write(pagename)%>

<%if display = "y" then%> <% end if%>
<%if session("badlogin") = "true" then%>No such user or bad password<%end if%><%if badchars = "true" then%>Bad Characters were used for login<%end if%>
<%if session("js") = "true" then%>You must turn on JavaScript to use this site.<%end if%><%if badchars = "true" then%>Bad Characters were used for login<%end if%>
Login
Password
  <% if allowreg = "y" then%> <%session("register")="yes"%> <%response.write(reg)%> <%end if%> <% if allowpasslook = "y" then session("lostpass")="yes" response.write(passlook)%> <%end if%>  
<%response.write(copy)%>
<%response.write(ver)%>