First I included the MD5 function in both the sending and form handling pages as it isn’t included with ASP

<!--#include file="md5.asp"-->

Then I defined a variable for the hashed SessionID

Dim strHashedSessionID
strHashedSessionID = MD5(Session.SessionID)

Next I added the hashed SessionID to the querystring of the form handling page

<form method="post" action="formhandler.asp?sender=">

On the form handling page, I added a server-side error message, generated only if the two values don’t match

<%
If Not Request.QueryString("sender") = strHashedSessionID Then
 Response.Write "Authentication error: Please re-sumbit the form"
End If
%>

Finally, if the two values do match, the email is sent

<%
If Request.QueryString("sender") = strHashedSessionID Then
 'send the email using CDOSYS
End If
%>

After adding some additional server-side form validation, I added the additional security scripting to my contact form.

There are a few changes in IIS7 which Classic ASP developers should be aware of.

IUSR and IIS_IUSRS authorisation

When you first fire up your browser to your local sites/apps, you may get this error:

IIS process needs access to the physical location of the web site, in this case C:UsersHomeWebSites, however the IIS accounts in IIS7 have now changed:

• The IUSR built-in account replaces the IUSR_MachineName account
• The IIS_IUSRS built-in group replaces the IIS_WPG group

Assign these accounts to the Windows directory security with Read & Execute; List Folder Contents; Read

ASP not installed by default

If you’re moving from Windows XP to Windows Vista, you may be getting this error:

This is usually the case when you haven’t installed the ASP component. Go to control panel > Programs and Features > Turn Windows features on or off > Internet Information Services > World Wide Web Services > Application Development Features.

Script errors no longer shown in browser by default

As a result of security paranoia, Microsoft turned off ASP’s default behaviour of sending script errors (including line number and code snippet to the browser. So instead of seeing the typical error you will now see this:

An error occurred on the server when processing the URL. Please contact the system administrator

To see the full error, like it was in IIS6, change the ‘Send Errors To Browser’ setting to ‘True’. Go to IIS Manager > ASP > Debugging Properties

You should now see this style of error:

Parents paths disabled by default

This is an old issue, which hits me all the time. Parent paths by default have been disabled since IIS6 (Windows Server 2003), but in IIS5.1 (Windows XP) it was enabled. So if your coming from Windows XP to Windows Vista, this will be new, however, I keep forgetting it’s disabled in IIS6 all the time, and no exception here.

The enableParentPaths setting determines where ASP “includes” should be allowed to escape the parent directory (e.g. ../../../includeFile.inc). You’ll see this error by default if you try to escape the current directory:

or you may see this error if you are using a path with ../ in it and your ADODB code

To revert back to IIS 5.1 behavior, simply change the ‘Enable Parent Paths’ setting.
Go to IIS Manager > ASP > Behaviour

If you have a form on your site that interacts with a database (e.g. a username/password login form), you should secure the form by adding an additional stage between submission and the database look-up. One way to do this is to check for valid content.

As usenames and passwords are usually strings of alphanumeric characters, you can strip out ‘bad’ characters from the input string.
The easiest way to do this is to collect the form’s input and check each character against a regular expression, removing any that are invalid.

The code below removes all non-alphanumeric characters from the input string:

<%
'gets the text submitted via a form
Dim strUsername, strPassword
strUsername = Request.Form("username")
strPassword = Request.Form("password")

'call the function to use
strUsername = stripString(strUsername)
strPassword = stripString(strPassword)

'function to strip all non-alphnumric characters
function stripString(strInput)
 Dim objRE
 Set objRE = New RegExp
 With objRE
  .Pattern = "[^A-Za-z0-9]"
  .Global = True
 End With
 stripChars = objRE.Replace(strInput, "")
 Set objRE = nothing
End Function
%>

If you’re using a login script on your site you probably store usernames and passwords in a database for authenticating the login.

For security reasons, you should never store these as plain text but should encrypt them with a one-way hash function such as md5 or sha1.

As neither of these funtions are included with ASP, you’ll need to download and unzip the hash function you want to use and upload it to your webspace.

To use the functions, include the file in the pages you want to use hashing.

<!--#include file="md5.asp"-->
or
<!--#include file="sha1.asp"-->

Then you simply call the function with either:

<% MD5("string") or SHA1("string") %>

For example, if you wanted to encrypt a Username and Password on a signup form, you would collect the Username and Password from the submitted form, hash them and then insert the hashed values into your database

<%
strHashedUsername = MD5(Request.Form("Username"))
strHashedPassword = MD5(Request.Form("Password"))
%>

To authenticate a user who is attempting to sign in, Hash the username and Password from the form and compare these with the strHashedUsername and strHashedPassword stored in your database.

If a user forgets their password you’ll need to generate a new, pseudo-random password for the user as hashing is one-way can’t be unencrypted.

Downloads: md5.zip sha1.zip