HOMEJAVASCRIPTSAJAXASPFORUMSCONSULTINGSHOPSEARCHCONTACT
  Top » ASP » PAGE PROTECTION If you find this page useful
please make a secure donation 		My Account  |  Cart Contents  |  Checkout   

Protecting Your Pages


When I started with Active Server Pages, one of the first things I wanted to do was learn how to password protect certain pages. In this tutorial, I'll show you how I did it. We need to create 3 pages here. The first page will be a login page. The second page will verify that the user exists in our database. The final page will be the loginsuccess page. So let's get to it.

First we just create a normal form, but because we want to report errors to the person if something went wrong, we'll also include some basic ASP in the page. Save this page as login.asp.

<% @Language=VBScript%>
<% Option Explicit %>
<html>
<head><title>Login Here</title></head>
<body>
<%
If request("error")="1" then
response.write "Your username was not found in our database<br>"
End if
If request("error")="2" then
response.write "Your password did not match<br>"
End if
If request("error")="3" then
response.write "You must supply both a username and password<br>"
End if
%>
Please use your username and password to login to our secure area.<br>
<form method="post" action="verify.asp">
Username: <input type="text" name="username"><br>
Password: <input type="text" name="password"><br>
<input type="submit" name="submit" value="submit">
</form>
</body></html>

Now we create our verify.asp page which will take the data passed from the form and compare it to the database to verify whether or not the person should be allowed in.

<% @Language=VBScript %>
<% Option Explicit %>
<!--#include file="adovbs.inc"-->
<!--#include file="connection.asp"-->
<%
Dim username, password, objConn, foundIt, RS

'First we test our variables to make sure that neither are empty strings and if they are, we redirect back to the login page telling the person that both fields need to be filled in
username=trim(request.form("username"))
password=trim(request.form("password"))
If username = "" or password = "" then
response.redirect ("login.asp?error=3")
End If

Set RS = Server.CreateObject("ADODB.Recordset")
RS.Open "users", objConn

'Now we set up a variable called foundIt. It is initially set to false. If it finds the username that the person entered, it is then set to true. If it does not find the username, it keeps the false value, closes all connections and redirects back to the login page informing the user that his/her username was not found in the database.
foundIt=False
Do Until RS.EOF OR foundIt
If (StrComp(RS("username"), username, vbTextCompare) = 0) Then
foundIt=True
Else
RS.MoveNext
End If
Loop
If Not foundIt Then
RS.Close
Set RS = Nothing
objConn.Close
Set objConn = Nothing
response.redirect("login.asp?error=1")
End If

'Assuming we have found the username, we now compare the password they entered to the password for that username in the database. If they don't match, then we redirect them back to the login page and let them know they didn't match
If Not (StrComp(RS("password"), password, vbBinaryCompare) = 0) Then
RS.Close
Set RS = Nothing
objConn.Close
Set objConn = Nothing
Response.Redirect("login.asp?error=2")

'Assuming that both the username and password match what is in the database, we redirect the user to our welcome page and assign a session variable called Valid with the username.
Else Session("Valid") = Request("username")
Response.Redirect("welcome.asp")
End If
%>

Before we go to our next page, I want to point out something you may not have seen yet. We used the built in VBScript function called StrComp. It takes the form of StrComp(string1, string2, compare constant). The compare contstant could be vbTextCompare, vbBinaryCompare, or vbDatabaseCompare. We use it to compare the recordset field called username to the string in our variable called username and we use the vbTextCompare method.

Now we go on to our last page. Save this page as welcome.asp.

To check to make sure that someone has logged in successfully, we will have to check their session variable called Valid that we set up in our 2nd asp page. The code is shown below.

<% @Language=VBScript %>
<% Option Explicit %>
<%
'We check to make sure that session("Valid") is not empty. It should contain the person's username if they successfully logged in.
If Session("Valid") = "" Then
Response.redirect ("login.asp")
End If
%>
<html>
<head><title>Welcome</title></head>
<body>
Welcome <%=session("Valid")%>. You have successfully logged in.
</body>
</html>

The above code will check to make sure the person logged in successfully, and then insert their username into the welcome portion of the body. For any page that you want to password protect, make sure that you put the above code in the top of the page that you want to protect. You will need the code starting from If Session to End If all enclosed in <% and %>. You could always include one more error code in your login page to say If request("error")="4" then response.write "You must log in first to access these pages." End If. Then in your session check in each page, change your response.redirect ("login.asp") to response.redirect ("login.asp?error=4"). See ya next time!

~Geoff Swartz
© 1996 - 2008 JS-X.com - Web Design by JS-Examples.com