Tornado Class Library

Special Topic - StandAlone and Multi-User Login

Defining the dbLogin property activate and setup the enitre Login fucntion. There are two levels of login - PoorMan and DB. In order to use the ASPdb.Net login function, the Global.asax file must contain the following code in the Session_End block. These codes are to cleanup the 'logout' users after the session end or time out or logout. This integrated login module will prohibit "Password Abuse" by allowing only single logon. In order to logon somewhere else, use can either logout (any location) and then login again or wait for the timeout of the active session that owns the name & password. SQL Injection attack is also taken into account and counter measures are incorporated.

 
Global.asax Login Session_End Code

Sub Session_End(ByVal sender As Object, ByVal e As EventArgs)
  Application.Lock()
  Dim UserSession As ArrayList = Application("UserSession")
  Dim NamePassword As ArrayList = Application("NamePassword")
  Dim who As Integer = UserSession.IndexOf(Session.SessionID)
  UserSession.RemoveAt(who)
  NamePassword.RemoveAt(who)
  Application("UserSession") = UserSession
  Application("NamePassword") = NamePassword
  Application.UnLock()
End Sub

Note - For multiple files operations, you must repeat the dbLogin property in all the aspx files that needs to be covered by the same login/logout.

 
Login Template

User can define their own Login Template using dbLoginTemplate. If this property is blank then the internal template will be used. Otherwise, if this property starts with 'file=filename' then the file will be retrieved in the template directory (dbtemplatedir). If file=\your dir\file_path then user path will be used. The ID and Password <INPUT NAME> must be ASPdbLoginID and ASPdbLoginPassword. There must also be a tag [[LoginButtons]] for the buttons and [[LoginTitle]] for the title. The following is the system internal template -

<table class=ts cellspacing='0' cellpadding=3><tr><td colspan=2 class=gh>[[LoginTitle]]</td></tr>
<tr><td class=cf align=right>ID</td><td class=r1><input type=text name='ASPdbLoginID' size=28></td></tr>
<tr><td class=cf align=right>Password</td><td class=r1><input type=password name='ASPdbLoginPassword' size=28>
</td></tr><tr><td class= cf colspan=2 align=center>[[LoginButtons]]</td></tr>"

 

Forget Password

In order to send password in respond to the "forgot Password" request, the dbMail property will be used. You can either furnish 3 macro tages and dbLogin will setup the dbMail with defaults and send the password for you. You can also setup the dbMail property to have complete control. Either way the 3 macros must be there -

1. [[address]] - email address of the sender (From).
2. [[LoginID]] - Login ID of the requestor
3. [[Password]] - Password of the requestor

These tags will be filled in for the active user and the password will be send to the user. This email address of either type will be validated against the internal email Regular expression before send.

 

PoorMan Style Login

First we'll create a user password file - c:\inetpub\wwwroot\bin\pass.txt

Comments - OK as long as not inside <blocks>
<application1>
frank,kwong,fk@fkw.us
bill,clinton,hello@fkw.us
asp,db,world@fkw.us
hello,world,frank@aspdb.com
</application1>

Application with a PoorMan style Login

<script language="vb" runat="server">
Sub Page_Load(Source as Object, E as EventArgs)
Dim GD as New TOrnado.GetData()
Dim LOG1 As New Tornado.Z()
  With LOG1
    .dbSkin = "type=gold"
    .dbLogin = "type=PoorMan|passfile=/bin/pass.txt,application1|titletxt=Tornado Login|FromAddr=frank@aspdb.com|EmailSubject=Your Password|EmailBody=Your password for [[LoginID]] is [[password]]| SMTPServer=mail.topher.net"
    .dbUnit = "50"
    .dbMode = "type=Grid| sysindex=true"
    .dbExportFlds = "0,1"
    .dbDSN = "Nwind"
    .dbSQL = "Select * From Orders"
    .dbTextHolder = "BD=onLoad='self.focus()'|Title=Tornado - Single Access Super Login"
    .ASPdbNET()
  End With
  Response.Write("Login Name=" & GD.Get_LoginName & "<BR>")
  Dim s() As String = GD.get_Login_users
    If Not IsNothing(s) Then
      Response.Write("<HR>Login users<br>")
      Dim i As Integer
      For i = 0 To UBound(s)
        Response.Write(s(i) & "<BR>")
      Next
    End If
End Sub
</script>

 

StandAlone Login

In case of a standalone login which is a login w/o having to keep track of every page and session idle time etc., a different set of Login methods is available - ASPdbLogin and ASPdbClearLogin. Look at the following example -

Step #1 - Create a safe default file. Use the aspx extension and mak esure you include .aspx extension in the default document of the Web Site Properties. This sample deafult.aspx file will present a login box with a poorman style user/id list embedded in the dbLogin property. The Forget,Changepassword and help buttons are hidden from display. If the userid/password is invalid, it'll prompt again. If it is valid then user will be redirected to another application. In order to be safe, use a querystribg (pass=Password) to prohibit invalid access to th eapplication.

File = Default.aspx

<script language="vb" runat="server">
Sub Page_Load(Source as Object, E as EventArgs)
  Dim Lg As New Tornado.z
  Lg.dbUnit = 1
  Lg.dbLogin = "type=PoorMan|passlist=MyID,MyPass| titletxt=Standalone Login" & _ 
    "_Login|For=f|Cha=f|log=f|hel=f"
  If Lg.ASPdbLogin() Then
    Lg.ASPdbClearLogin() 
    Response.Redirect("/Anotherdir/AnotherApp.aspx?pass=AnotherPassword") 
  End If
End Sub
</script>

 

Step # 2 - Check the password querystring and make sure it is valid. If invalid then terminate the application w/o displaying the HTML code. IF valid then the HTML page will display and you r web site is in action. Anytime you have application links, you should pass on the same querystring to make sure the entire application is safe.

File = AnotherApp.aspx

<script language="vb" runat="server">
Sub Page_Load(Src As Object, E As EventArgs)
  try
    If not (Request.QueryString("pass")="AnotherPassword")
      Response.Write("Invalid Access")
      Response.End()
    End if
  catch
    Response.End()
  end try 
End Sub
</script>

<html>
<body>
..... 
..... Your web page here 
.....
</body>
</html>