This article demonstrates how to write simple Active Server
Pages (ASP) code to restrict access with a logon page. The methods in this
article are simplistic. For greater functionality or for stronger security, see
the "References" section at the end
of this article.
In this example, you will create the following two
pages:
MyPage.asp: This page is protected and cannot be browsed to without the
correct user name and password.
Logon.asp: This page provides a form in which users type their credentials.
The form then verifies the user's name and password. If the name and password
are correct, it writes a cookie to the client, which becomes the "key" for
accessing other ASP pages.
Use Notepad to create these ASP pages. To start Notepad, from the
Windows Start menu, point to Programs, point to Accessories, and then click Notepad. Save each of these documents to the root Web of your local Web
server (which is typically C:\InetPub\Wwwroot\). If you change the location of
the documents, you must also modify the script in these files accordingly.
Logon.asp
In Notepad, click New on the File menu.
Highlight the following code, right-click the code, and
then click Copy from the shortcut menu. In Notepad, click Paste on the Edit menu to paste the following code into Notepad:
<html>
<head>
<title>Logon Form</title>
<%
Username="Administrator"
Password="Admin"
Validated = "OK"
if Strcomp(Request.Form("User"),Username,1)=0 AND Request.Form("password") = Password then
'Set the validation cookie and redirect the user to the original page.
Response.Cookies("ValidUser") = Validated
'Check where the users are coming from within the application.
If (Request.QueryString("from")<>"") then
Response.Redirect Request.QueryString("from")
else
'If the first page that the user accessed is the Logon page,
'direct them to the default page.
Response.Redirect "MyPage.asp"
End if
Else
' Only present the failure message if the user typed in something.
If Request.Form("User") <> "" then
Response.Write "<h3>Authorization Failed.</h3>" & "<br>" & _
"Please try again.<br> <br>"
End if
End if
%>
</head>
<body bgcolor="#FFFFFF">
<FORM ACTION=<%Response.Write "Logon.asp?"&Request.QueryString%> method="post">
<h3>Logon Page for MyPage.asp</h3>
<p>
Username:
<INPUT TYPE="text" NAME="User" VALUE='' size="20"></INPUT>
Password:
<INPUT TYPE="password" NAME="password" VALUE='' size="20"></INPUT>
<INPUT TYPE="submit" VALUE="Logon"></INPUT>
</FORM>
</body>
</html>
Save this page as Logon.asp in the C:\InetPub\Wwwroot\
folder.
MyPage.asp
MyPage.asp is the page that you want to protect. You can use any
page with an .asp file extension.
In Notepad, click New on the File menu.
Highlight the following code, right-click the code, and
then click Copy from the shortcut menu. In Notepad, click Paste on the Edit menu to paste the following code into Notepad:
<%
Validated = "OK"
if Request.Cookies("ValidUser") <> Validated then
'Construct the URL for the current page.
dim s
s = "http://"
s = s & Request.ServerVariables("HTTP_HOST")
s = s & Request.ServerVariables("URL")
if Request.QueryString.Count > 0 THEN
s = s & "?" & Request.QueryString
end if
'Redirect unauthorized users to the logon page.
Response.Redirect "Logon.asp?from=" &Server.URLEncode(s)
End if
%>
<html>
<head>
<title>My Protected Page</title>
</head>
<body>
<p align="center">This is my secret information<br>
You cannot see it unless you<br>
are properly logged on!</p>
</body>
</html>
Save this page as MyPage.asp in the C:\InetPut\Wwwroot\
folder.
Open your Web browser. If you are using Microsoft Internet
Explorer, from the Windows Start menu, point to Programs, and then click Internet Explorer.
Type the following address in the Address bar, and then
press ENTER:
http://localhost/MyPage.asp
Notice that you are redirected to Logon.asp.
Type the user name and password information that is
contained in ASP code (Username - Administrator, Password - Admin) in the
Logon.asp file, and then click Logon. This should allow you to see the MyPage.asp page.
Type an incorrect user name or password to confirm that you
cannot log on and thus cannot browse to MyPage.asp
To protect other ASP pages, add the following code at the
top of the ASP page before any other code:
<%
Validated = "OK"
if Request.Cookies("ValidUser") <> Validated then
'Construct the URL for the current page.
dim s
s = "http://"
s = s & Request.ServerVariables("HTTP_HOST")
s = s & Request.ServerVariables("URL")
if Request.QueryString.Count > 0 THEN
s = s & "?" & Request.QueryString
end if
'Redirect unauthorized users to the logon page.
Response.Redirect "Logon.asp?from=" &Server.URLEncode(s)
End if
%>
To log on and be redirected to the protected page that you
request, you must point your hyperlinks to the actual page and not the
Logon.asp page. In this example, ensure that your hyperlink points to
MyPage.asp. If you are not logged on, the code that is included in that page
redirects you to Logon.asp automatically.
If you do want your site's visitors to log on each time
they visit, you can save the ValidUser cookie on their computer so that this information is available
the next time they visit. The preceding code causes the cookie to expire as
soon as your session times out or as soon as you close your browser window. To
set an expiration period for the cookie, change the following code in Logon.asp
from
Response.Cookies("ValidUser") = Validated
to:
Response.Cookies("ValidUser") = Validated
Response.Cookies ("ValidUser").Expires = DATE + 1
To specify the expiration period, change "1" to however many days you
prefer. For example, the following code causes the cookie to expire on your
computer after one year:
Response.Cookies ("ValidUser").Expires = DATE + 365
If you set an expiration date, the cookie is saved on the end user's
computer so that the user can bypass the logon page in the future. However, if
the user browses to the site from another computer, the cookie is saved on that
computer, and someone else can potentially read and copy this
information.
An ASP logon page is useful for many applications, but it
does not offer the highest level of security. Generally, NTFS is the highest
level of security. NTFS requires that users type a user name and password that
Microsoft Windows recognizes. NTFS security can be used to set permissions on
the files and folders on the hard disk.
In addition, ASP security
rides on top of Microsoft Internet Information Server (IIS) security. If IIS is
not set up securely, and you add ASP security functions, you do not prevent
sophisticated users from obtaining access to your site.
For more
information about IIS and ASP security, see the "References" section.
This preceding code allows for only one set of user
credentials. The following Microsoft Knowledge Base article demonstrates how to
use an ASP logon page in which many user names are saved in a
database:
299987
(http://support.microsoft.com/kb/299987/EN-US/
)
How To Use Database and ASP Sessions to Implement ASP Security
If you set an expiration date for the cookie, it is saved
on the computer that is used to browse to your page. If someone browses your
page from a public computer, such as from a computer at a coffee shop, the
cookie is saved on that computer and someone else may read and copy this
information. If you do not set an expiration date, the cookie is not saved to
the computer's hard disk (it is only stored in memory) and is deleted from the
computer's memory as soon as the browser is closed.
This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.
Back to the top
