Login System Help - PLEASE - including non-programmers

[rdivilbiss]

http://www.rodsdot.com/login_system/testDestination.asp

An issue which perennially occurs is a newish programmer asking for a login page for his or her web site.  More experienced programmers know that a login page is only part of a whole.

You need a way to register the users, therefore a registration page.

If you are wise, you will verify the newly registered user's e-mail address prior to allowing the user access, therefore an e-mail verification page. e.g. Send them a token and make them click a link or enter the token within a reasonable amount of time, say 24 hours.

A person could register using a phony e-mail address or someone else's e-mail address, therefore the person receiving the registration message may want to cancel registration, so now we have a cancel registration page.

A new user may have the registration e-mail go to their SPAM folder, or for some other reason may not verify his or her e-mail address within 24 hours.  They need a way to issue a new verification token, therefore yet another page.

And users may wish to change their password, so you need a password change page.

Now with all of this, it would be foolish not to have, what was originally asked for, a login page.  If it is not a high security site, we may choose to give the user the option to remain logged in, or the user being conscientious will want to properly log out, so now we need a logout page.

All totaled, we have the need for 9 pages. In alphabetical order;

1.   cancel_account
2.   change_password
3.   loggedout (log out confirmation to make sure the cookies are gone)
4.   login
5.   logout
6.   register
7.   register_delete
8.   register_verify
9.   issue_verification_token

But, looking at the visitors to my web site, it is obvious US English may be understood by many non-US residents, and that would not be totally unexpected for programmers, but the users of the sites they program would not necessarily know US English, therefore if we write a decent login system, we need to replace all the US English words and phrases with constants, meaning we need an language include file.

Also if you make a login system you might want a test page to make sure if a non-logged-in user attempts to access a protected page, the user is redirected to login and if they log in they are returned to the test page in a logged on state.  (And if they are not registered, they have the option to register from the login page, will be sent to a registration verification page where, when they enter their token they are presented with a continue link which takes them to the test page.)

So we have pages 10 and 11, the language include page and the test page.

Finally, we would be remiss not to provide a password recovery page and a change e-mail page, (12 & 13).

That's why when asked for a login page I want to laugh out loud at the asker.

But, ask the question at TOS and it will be quickly answered with just the login page and an Access database.  The input won't be filtered for XSS and the output won't be escaped or encoded, and the SQL query will be subject to SQL injection.  By virtue of all those vulnerabilities, the login form will be subject to CSRF.

About.com and Sitepoint both were smart enough to realize you need more than one page and wrote their version of login systems.  Both are riddled with no input filtering, no output escaping or encoding, no verification of e-mail addresses, and on the fly SQL subject to SQL injection, and consequently their forms are also subject to CSRF.

And we wonder why the same vulnerabilities consistently make OWASP's top ten list?

I have written pages 1 through 11.  12 & 13 will be written soon.  I also intend to rewrite this is PHP.

By intent all input, (even the User Agent) is filtered.  Either input data matches its available pattern or it is discarded.  No attempting to massage data or try to fix user input.

All output, which was not hard coded, is HTML encoded at a minimum.

All SQL commands are parameterized SQL which is significantly less likely to fall victim to SQL injection, especially with the input filtering.

The pages were meant to be included in someone's web site, therefore there is minimal styling and I've attempted to achieve HTML 4.01 Strict.  Since I'm sure I've missed some test cases, I could not possibly have checked every possible dynamic page output so there could be mark up errors or language constants which are not properly expanded.

The two flaws are:

1.   My SSL certificate is expired, so for testing there is no SSL, and
2.   The database connection string is in the language file meaning if you have access to that file you could possibly download the database.  (In real life, that being an ASP page, it would not reveal that information if read via the web, and I would not put the database file under the web root.  This is just development and testing so I think those can be overlooked at this point.)
3.   I used Access as a least common denominator.  I use both MS SQL and MySql and will modify the SQL as needed to work with both of those databases.

So what's the point?  I need the pages tested and broken if possible, and I need the language file translated in to whatever languages I can get people to volunteer to translate.  My wife will translate into Vietnamese and her brother who is much more computer literate and holds two engineering degrees will verify her work.

I know VGR and GrandSchtroumpf could, if so inclined, offer translation as well.  So can CrYpTiC_MauleR

http://www.rodsdot.com/login_system/testDestination.asp

[rdivilbiss]

<%
'*********************************************************************
'* Login system globals
'*********************************************************************
Const lg_cancel_account_page = "cancel_account.asp"
Const lg_contact_form = "/contact.asp"
Const lg_copyright = "&copy; 2005-2010 Roderick Divilbiss, Overland Park, KS. http://www.rodsdot.com"
Const lg_domain = "www.rodsdot.com"
Const lg_home = "/default.asp"
Const lg_log_logins = True
Const lg_logged_out_page = "loggedout.asp"
Const lg_loginPath = "/login_system/"
Const lg_logout_page = "logout.asp"
Const lg_new_token_page = "register_newtoken.asp"
Const lg_recover_passsword_page = "recover-password.asp"
Const lg_register_delete_page = "register_delete.asp"
Const lg_register_page = "register.asp"
Const lg_success_page = "login-success.asp"
Const lg_useSSL = True
Const lg_verify_page = "register_verify.asp"
Const lg_webmaster_email = "Webmaster <webmaster@rodsdot.com>"


'*********************************************************************
'* Login system language globals
'*********************************************************************
Const lg_login_button_text = "Login"
Const lg_register_button_text = "Register"
Const lg_term_at = "at"
Const lg_term_cancel = "Cancel"
Const lg_term_cancel_account = "Cancel Account"
Const lg_term_change_password = "Change Password"
Const lg_term_change_password_button_text = "Change Password"
Const lg_term_checkToken = "checkToken"
Const lg_term_city = "City"
Const lg_term_command_string = "LEFT OUT ON PURPOSE"
Const lg_term_confirm = "Confirm Password"
Const lg_term_contact_form = "Contact Form"
Const lg_term_country = "Country"
Const lg_term_current_password = "Current Password"
Const lg_term_delete_account = "Delete Account"
Const lg_term_do_registration = "doRegistration"
Const lg_term_email = "EMail"
Const lg_term_enter_information = "Enter Information"
Const lg_term_error_string = "getPasshash"
Const lg_term_example = "Example"
Const lg_term_get_name = "getName"
Const lg_term_get_oldpassword = "getOldPassword"
Const lg_term_immediately = "immediately!"
Const lg_term_ip = "IP"
Const lg_term_issue_verification_token = "Issue Verification Token"
Const lg_term_log_string = "logLogin"
Const lg_term_logged_out = "Logged Out"
Const lg_term_login = "Login"
Const lg_term_login_success = "Success"
Const lg_term_name = "Name"
Const lg_term_optional = "Optional"
Const lg_term_or = "or"
Const lg_term_password = "Password"
Const lg_term_please_login = "Please Login"
Const lg_term_please_register = "Please Register"
Const lg_term_recover_password = "Recover Password"
Const lg_term_region = "Region"
Const lg_term_register = "Register"
Const lg_term_register_confirmation = "Registration Confirmation"
Const lg_term_register_delete_enter_email = "Enter EMail"
Const lg_term_registration_verification = "Registration Verification"
Const lg_term_remember = True
Const lg_term_rememberme = "Remember Me"
Const lg_term_remove_registration = "Remove Registration"
Const lg_term_required = "required"
Const lg_term_set_newpassword = "changePassword"
Const lg_term_submit = "Submit"
Const lg_term_useragent = "Useragent"
Const lg_term_userid = "UserID"
Const lg_term_via_email = "by email at"
Const lg_term_website_address = "Website Address"


Const lg_phrase_cancel_account_cacelled = "The account has been cancelled."
Const lg_phrase_cancel_account_error = "There was an unexpected error cancelling your account. Please contact the webmaster"
Const lg_phrase_cancel_account_warning = "Enter your User ID and Password to cancel your account.<br>WARNING: THIS ACTION CAN NOT BE UNDONE.<br>If you have forgotten your password use the recover password link below."
Const lg_phrase_change_password = "Enter your current password, then your desired new password"
Const lg_phrase_confirm_empty = "The Confirm Password field is empty but is required. Please confirm your password."
Const lg_phrase_confirm_title = "Please confirm your desired password. This field is required."
Const lg_phrase_contact_webmaster = "contact the webmaster"
Const lg_phrase_delete_account = "Delete Account"
Const lg_phrase_delete_already_verified = "The account has already been verified and could not be deleted"
Const lg_phrase_delete_deleted = "The account has been deleted"
Const lg_phrase_email_empty = "The EMail field is empty but is required. Please enter your email address."
Const lg_phrase_email_title = "Please enter your email address. This field is required."
Const lg_phrase_enter_unlock_code = "Enter Unlock Code"
Const lg_phrase_issue_new_token = "Enter your userid and email to receive a new verification token."
Const lg_phrase_issue_new_token_error = "There was an unexpected error generating your verification token. Please contact the webmaster."
Const lg_phrase_issue_new_token_success = "Your new verification token will be mailed to your email address."
Const lg_phrase_logged_out = "You are logged out."
Const lg_phrase_logout_continue = "Click here to continue."
Const lg_phrase_name_empty = "The Name field is empty but is required. Please enter your name."
Const lg_phrase_name_title = "Please enter your full name. This field is required."
Const lg_phrase_newpassword_empty = "The New Password field is empty but is required. Please enter your password."
Const lg_phrase_news = "Do you wish to receive periodic e-mails when the website changes or new articles are posted?"
Const lg_phrase_no_matching_registration = "There was no registration matching the User ID and email address you entered."
Const lg_phrase_oldpassword_does_not_match = "The current password does not match your stored password. Try again."
Const lg_phrase_oldpassword_empty = "The Old Password field is empty but is required. Please enter your password."
Const lg_phrase_oldpassword_title = "Please enter your current password. This field is required."
Const lg_phrase_password_change_authorized = "If you did not authorize this change, please contact the webmaster at"
Const lg_phrase_password_changed = "Your password was changed"
Const lg_phrase_password_changed_error = "There was an unexpected error. The password was not changed. Please contact the webmaster"
Const lg_phrase_password_changed_okay = "Password changed successfully."
Const lg_phrase_password_changed_post = " was changed at "
Const lg_phrase_password_changed_pre = "Your password at "
Const lg_phrase_password_empty = "The Password field is empty but is required. Please enter your password."
Const lg_phrase_password_new_title = "Please enter your desired password. This field is required."
Const lg_phrase_password_nomatch_confirm = "The Password does not match the Confirmation Password. Please re-enter."
Const lg_phrase_password_title = "Please enter your password. This field is required."
Const lg_phrase_register_delete_noemail = "There was no account matching the email address you entered."
Const lg_phrase_registration_email_verify = "Verify Your EMail Address"
Const lg_phrase_registration_email_verify_msg = "An e-mail was sent to the e-mail address you provided during registration.&nbsp; Click the link in that e-mail or copy and paste the unlock code in the form field below.<p>Your account will not be available until it has been verified."
Const lg_phrase_registration_error = "There was an unexpected error completing your registration. Please contact the webmaster"
Const lg_phrase_registration_mail1 = "Thank you for registering at"
Const lg_phrase_registration_mail2 = "Before you can login you need"
Const lg_phrase_registration_mail3 = "to verify your e-mail address."
Const lg_phrase_registration_mail4 = "Click Here To Verify"
Const lg_phrase_registration_mail5 = "If the above link does not work, go to http://"
Const lg_phrase_registration_mail6 = "copy and paste the token below into the form and click ""Submit"""
Const lg_phrase_registration_mail7 = "If you did not register, click"
Const lg_phrase_registration_mail8 = "this link: <a href=""http://"
Const lg_phrase_registration_mail9 = "if you have any questions then <a href=""http://"
Const lg_phrase_registration_success = "Registration Successful"
Const lg_phrase_remember_me_warning = "Do not check remember me if this is a shared computer."
Const lg_phrase_userid_empty = "The User ID field is required but is empty. Please enter your User ID."
Const lg_phrase_userid_inuse = "The User ID is in use or invalid."
Const lg_phrase_userid_new_title = "Please enter your desired User ID. This field is required."
Const lg_phrase_userid_title = "Please enter your userid. This field is required."
Const lg_phrase_verify_expired = "More than 24 hors have passed since your registration."
Const lg_phrase_verify_login = "You may now login to your account."
Const lg_phrase_verify_newtoken = "Click here to generate a new unlock code."
Const lg_phrase_verify_verified  = "You have verified your email address."
Const lg_phrase_website_title = "Please enter your website address."
%>

[VGR]

aaaaaargh Rod is back with his silly ideas :D

sorriivenotime sorriivenotime sorriivenotime sorriivenotime sorriivenotime sorriivenotime sorriivenotime sorriivenotime
































will try to help you once I understand what you're doing ;-)

Personally, I don't write 12 pages, I write one that handles all. it's relatively easy. For secure auto-registration, I use a confirmation email. All in one, I think i've 3 or 4 pages (register.php, confirm.php, profile.php) and my websites are multilingual using standard txt(key_string) and txtmsg(format_string,array(arguments)) calls. I've thus also a translation admin page where I automatically can transate in 4 languages (usually) the newly created key_strings.

I work this way since 2002 and haven't been "penetrated" yet ;-)

[rdivilbiss]

will try to help you once I understand what you're doing ;-)

Thank you very much!

Personally, I don't write 12 pages, I write one that handles all. it's relatively easy.

You and I are experienced web developers and can understand how to write one page which performs many functions.  That is not the target audience for my project.  But I agree that is a valid and good way to do things if you are able.

For secure auto-registration, I use a confirmation email.

As do I.

https://www.webloginproject.com/login-project/french/default.asp is a live example of what I am trying to do.  I used a machine translation from US English to French but I am sure some translations will not be correct.  An English sentence may be phrased differently than a sentence in another language.

I have two files you might look at and correct.  I'll send you a link to those.

Regards,
Rod

[VGR]

I went to your URI. Why is the "/french/" page not translated at all ? Also, it's ASP.Net and not "really" ASP (see page title) that you're using ;-)
Also, you use the standard "aspstate" which is a vulnerable "user token" technique, as described in the OWASP Guide (see my website).

Also, when I read "EE llogin" I naively thought it was for EEE, the free version of the "not-so-collaborative" website known as experts-exchange.COM (and that I left end of 2004) : what's the purpose ?

I'm currently looking at your two files.

[rdivilbiss]

The only thing I made an attempt at translating is the login system functions.

Absent a native speaker such as yourself, translating the other information on those demo pages would not be practical.

I assure you the code on those pages is classic ASP.  I also have the same code in PHP, but escaping the language file will be more difficult in PHP and I chose not to attempt that until getting your feedback.

Unfamiliar with the term "aspstate" and a search of your site for aspstate, ASP session and session state did not reveal any information applicable.

I'll have a look around OWASP.