LinkBack URL
About LinkBacks
Reply With Quotervdmast (24th January 2008)
Ok guys here's the first attempt at this I'm hopeing some of you may like to take it and improve it and share the results.
In the zip file are 2 folders and the database at the moment it is an access database but could easily be moved to a mysql I suppose.
The register folder needs to be extracted to a web directory with integrated authentication and the reset one to a web folder with anonymous access.
The database can be put anywhere and the asp files modified to reflect this.
The user running the reset web page has to have correct access to be able to reset passwords and I'm not sure what these need to be as mine seems to work at the moment.
The code is a bit messy but seems to work. The answers to questions 1 & 2 are md5 encoded in the database but the 3rd one is left as clear text as it could form the basis of a helpdesk check that a person is who they say they are.
At the moment the password that theirs is changed too is hard coded but this could be easily changed to a form to allow them to pick their own.
There is no styling on the forms and html at the moment again I'm hoping someone that's better than me at pretty html could help out.
I'd also like to improve the questions so that they can't answer the same question 3 times which they can at the moment but that's for version 2 maybe.
If anyone tries it and has problems let me know.
Cheers,
Ben
rvdmast (24th January 2008)
31 views and not comments from anyone?
Ben
It's only been downloaded twice
I had a look at the code and the DB structure. It looks good, seems as though it will provide some good results... haven't had time to test the actual scripts yet though.
will have look at it end of this week
russ
Passed onto my NM for a look.
Hi,
I like the idea, although childrens inability to be original means that we may have to think carefully about the questions or they could become guessable.
A cursory look at the code shows that you are passing the user name in the form and trusting that to be correct, where I can see some of our more able hackers spoofing the form data (I have one - thankfully on the side of the angels - who would do it just for the challenge)
Given that you are trusting ASP to return the user and then submit that as a hidden field, could you not make that calculation in the register_user.asp so that it need not be passed?
Also, it would be nice to have the student need to bring something physical to the equation. If you made the system generate one of the answers perhaps as a long random number you could have the confirmation screen display it as a bar code to be printed and used as an unlock ticket - your reset terminal would need a bar code reader but it would mean that physical theft would be involved to steal someones password which is a reasonable deterent.
You could force a re-registration after every unlock to make the key one time only which would also enhance the security.
I will try & install it on a machine somewhere that serves ASP and play with the functionality later so these are only initial thoughts.
Keep up the good work
Hi SG,
All good ideas. Yes the form responses could be spoofed.
I will look into maybe passing them as session variables or something instead and changing register_user.asp so it gets the username there instead.
The physical ticket idea is good but if it was something that was printed then they could lose it. Maybe a confimation code that they have to write down.
I suppose could use another field in the database to store if they had unlocked and then make them re register next time they logged in.
Cheers,
Ben
Is there a way to load this at logon somehow? Because if they can't logon, how can they reset their password?
Just a thought
Create a locked-down passwordless account called "resetpassword" who's shell is a web browser that loads that page.Originally Posted by fooby
If they're on XP why can't they just right click on 'Change Password' button of the Ctrl-Alt-Del menu?
Though I actually have that button disabled though GP.
Because you can only get that button once you have logged in. And to log in you need your current password - hence this self-service password reset for if it has been compromised/forgotten ...
ahh right, thanks.Because you can only get that button once you have logged in. And to log in you need your current password - hence this self-service password reset for if it has been compromised/forgotten ...
Plexer,
Very nice idea, although I have a feeling that unless we force the kids to register their answers to the questions, some will never bother, defeating the object somewhat.
To force this, I've got a login script that calls register.html (asp removed to prevent form spoofing as pointed out by Shiny_Guru, username now retrieved in register_user.asp) in IE's kiosk mode.
register_user.asp removes the user login script once the details are stored.
This works fine if the user is an admin who has permissions to modify AD, but if it's a normal user it fails due to insufficient privileges.
I'm new to asp so I'm pretty much winging this, but I think I need to stop impersonating the current authenticted user while running the AD code, for which I've found this code:
Trouble is, I keep getting an error:Code:// Stop impersonation WindowsImpersonationContext ctx = WindowsIdentity.Impersonate(IntPtr.Zero); try { // Thread is now running under the process identity. // Any resource access here uses the process identity. // Remove logon script from user Dim oUser Set oUser = GetObject("WinNT://domain.sch.uk/" & strusername & "") oUser.LoginScript = "" oUser.SetInfo Set oUser = Nothing } finally { // Resume impersonation ctx.Undo(); }
Googling the error code suggested looking for missing & or , but as I'm not familiar with asp's syntax, i'm a little stuck as to how to fix it.Code:Microsoft VBScript compilation error '800a0401' Expected end of statement /register/register_user.asp, line 85 WindowsImpersonationContext ctx = WindowsIdentity.Impersonate(IntPtr.Zero); --------------------------------------------------------------------------^
Can anyone point out what's missing, or if I'm even on the right track?
I've attached my modified (non-working) version incase that's of help.
Irazmus: Excellent work there on the css etc... thats exactly what I was hoping someone would do to make it look pretty.
Rather that using a logon script could we just set their homepage to an asp page that searches the db for their username, if it exists they have filled it in and they get redirected to google or wherever. If they don't exist they are then redirected to the sign up page?
Ben
Glad you like the redesign
Yes we could do it that way, infact I've just modified register.asp to check if the current username is in the database, and to skip the reg page and redirect to Google if it is
I'd still like to find exactly what I was missing though, as I can see some situations where a logon script would be better
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
