How To Use Simple ASP Code to Password Protect Your ASP Pages

Article translations Article translations
Article ID: 301464 - View products that this article applies to.
This article was previously published under Q301464
Expand all | Collapse all

On This Page

SUMMARY

This article demonstrates how to write simple Active Server Pages (ASP) code to restrict access with a logon page. The methods in this article are simplistic. For greater functionality or for stronger security, see the "References" section at the end of this article.

In this example, you will create the following two pages:
  • MyPage.asp: This page is protected and cannot be browsed to without the correct user name and password.
  • Logon.asp: This page provides a form in which users type their credentials. The form then verifies the user's name and password. If the name and password are correct, it writes a cookie to the client, which becomes the "key" for accessing other ASP pages.

Create the Application

Use Notepad to create these ASP pages. To start Notepad, from the Windows Start menu, point to Programs, point to Accessories, and then click Notepad. Save each of these documents to the root Web of your local Web server (which is typically C:\InetPub\Wwwroot\). If you change the location of the documents, you must also modify the script in these files accordingly.

Logon.asp

  1. In Notepad, click New on the File menu.
  2. Highlight the following code, right-click the code, and then click Copy from the shortcut menu. In Notepad, click Paste on the Edit menu to paste the following code into Notepad:
    <html>
    <head>
    <title>Logon Form</title>
    <%
    Username="Administrator"
    Password="Admin"
    Validated = "OK"
    if Strcomp(Request.Form("User"),Username,1)=0 AND Request.Form("password") = Password then
    'Set the validation cookie and redirect the user to the original page.
        Response.Cookies("ValidUser") = Validated
        'Check where the users are coming from within the application.
        If (Request.QueryString("from")<>"") then
    	Response.Redirect Request.QueryString("from")
        else
    	'If the first page that the user accessed is the Logon page,
            'direct them to the default page.
              Response.Redirect "MyPage.asp"
        End if    
    Else
    ' Only present the failure message if the user typed in something.
        If Request.Form("User") <> "" then
            Response.Write "<h3>Authorization Failed.</h3>" & "<br>" & _
            "Please try again.<br>&#xa0;<br>"
        End if
    End if
    %>
    </head>
    <body bgcolor="#FFFFFF">
    <FORM ACTION=<%Response.Write "Logon.asp?"&Request.QueryString%> method="post">
    <h3>Logon Page for MyPage.asp</h3>
    <p>	
    Username: 
    <INPUT TYPE="text" NAME="User" VALUE='' size="20"></INPUT>
    Password: 
    <INPUT TYPE="password" NAME="password" VALUE='' size="20"></INPUT>
    <INPUT TYPE="submit" VALUE="Logon"></INPUT>
    </FORM>
    </body>
    </html>
    					
  3. Save this page as Logon.asp in the C:\InetPub\Wwwroot\ folder.

MyPage.asp

MyPage.asp is the page that you want to protect. You can use any page with an .asp file extension.
  1. In Notepad, click New on the File menu.
  2. Highlight the following code, right-click the code, and then click Copy from the shortcut menu. In Notepad, click Paste on the Edit menu to paste the following code into Notepad:
    <%
    Validated = "OK"
    if Request.Cookies("ValidUser") <> Validated then
    'Construct the URL for the current page.
        dim s
        s = "http://"
        s = s & Request.ServerVariables("HTTP_HOST")
        s = s & Request.ServerVariables("URL")
        if Request.QueryString.Count > 0 THEN
    	s = s & "?" & Request.QueryString 
        end if
        'Redirect unauthorized users to the logon page.
        Response.Redirect "Logon.asp?from=" &Server.URLEncode(s)
    End if
    %>
    <html>
    <head>
    <title>My Protected Page</title>
    </head>
    <body>
    <p align="center">This is my secret information<br>
    You cannot see it unless you<br>
    are properly logged on!</p>
    </body>
    </html>
    					
  3. Save this page as MyPage.asp in the C:\InetPut\Wwwroot\ folder.

Test the Application

  1. Open your Web browser. If you are using Microsoft Internet Explorer, from the Windows Start menu, point to Programs, and then click Internet Explorer.
  2. Type the following address in the Address bar, and then press ENTER:
    http://localhost/MyPage.asp
    Notice that you are redirected to Logon.asp.
  3. Type the user name and password information that is contained in ASP code (Username - Administrator, Password - Admin) in the Logon.asp file, and then click Logon. This should allow you to see the MyPage.asp page.
  4. Type an incorrect user name or password to confirm that you cannot log on and thus cannot browse to MyPage.asp

Other Considerations

  • To protect other ASP pages, add the following code at the top of the ASP page before any other code:
    <%
    Validated = "OK"
    if Request.Cookies("ValidUser") <> Validated then
    'Construct the URL for the current page.
        dim s
        s = "http://"
        s = s & Request.ServerVariables("HTTP_HOST")
        s = s & Request.ServerVariables("URL")
        if Request.QueryString.Count > 0 THEN
    	s = s & "?" & Request.QueryString
        end if
        'Redirect unauthorized users to the logon page.
        Response.Redirect "Logon.asp?from=" &Server.URLEncode(s)
    End if
    %>
    					
  • To log on and be redirected to the protected page that you request, you must point your hyperlinks to the actual page and not the Logon.asp page. In this example, ensure that your hyperlink points to MyPage.asp. If you are not logged on, the code that is included in that page redirects you to Logon.asp automatically.
  • If you do want your site's visitors to log on each time they visit, you can save the ValidUser cookie on their computer so that this information is available the next time they visit. The preceding code causes the cookie to expire as soon as your session times out or as soon as you close your browser window. To set an expiration period for the cookie, change the following code in Logon.asp from
            Response.Cookies("ValidUser") = Validated
    						
    to:
            Response.Cookies("ValidUser") = Validated
            Response.Cookies ("ValidUser").Expires = DATE + 1
    						
    To specify the expiration period, change "1" to however many days you prefer. For example, the following code causes the cookie to expire on your computer after one year:
            Response.Cookies ("ValidUser").Expires = DATE + 365
    						
    If you set an expiration date, the cookie is saved on the end user's computer so that the user can bypass the logon page in the future. However, if the user browses to the site from another computer, the cookie is saved on that computer, and someone else can potentially read and copy this information.

Pitfalls

  • An ASP logon page is useful for many applications, but it does not offer the highest level of security. Generally, NTFS is the highest level of security. NTFS requires that users type a user name and password that Microsoft Windows recognizes. NTFS security can be used to set permissions on the files and folders on the hard disk.

    In addition, ASP security rides on top of Microsoft Internet Information Server (IIS) security. If IIS is not set up securely, and you add ASP security functions, you do not prevent sophisticated users from obtaining access to your site.

    For more information about IIS and ASP security, see the "References" section.
  • This preceding code allows for only one set of user credentials. The following Microsoft Knowledge Base article demonstrates how to use an ASP logon page in which many user names are saved in a database:
    299987 How To Use Database and ASP Sessions to Implement ASP Security
  • If you set an expiration date for the cookie, it is saved on the computer that is used to browse to your page. If someone browses your page from a public computer, such as from a computer at a coffee shop, the cookie is saved on that computer and someone else may read and copy this information. If you do not set an expiration date, the cookie is not saved to the computer's hard disk (it is only stored in memory) and is deleted from the computer's memory as soon as the browser is closed.

REFERENCES

Other "How To" Microsoft Knowledge Base Articles

299987 How To Use Database and ASP Sessions to Implement ASP Security
299970 How to use NTFS permissions to protect a Web Page running on IIS 4.0 or 5.0

Primary Microsoft Security References

Microsoft Security
http://www.microsoft.com/security/

TechNet Web Site Security
http://www.microsoft.com/technet/Security/default.mspx
If the preceding TechNet link fails, browse to the TechNet home page at:
http://technet.microsoft.com/default.aspx
In the left pane, point to Security, and then click Web Site.

General Security References

White Paper: Implementing a Secure Site with ASP
http://msdn2.microsoft.com/en-us/library/ms995337.aspx
164882 Practical Recommendations for Securing Internet-Connected Windows NT Systems
282060 Resources for Securing Internet Information Services
271071 Minimum NTFS Permissions Required for IIS 5.0 to Work
174811 Authentication and Security White Paper for Internet Developers
229694 How to Use the IIS Security "What If" Tool

Specialized Security References

239120 Create a Secure FTP Directory that Uses Password Authentication
216705 How to Set Permissions on a FrontPage Web on IIS
280383 IIS Security Recommendations When You Use a UNC Share and Username and Password Credentials
176378 How To SQL Server with Integrated Security, IIS on Same Machine
260985 XIMS: Minimum NTFS Permissions Required to Use CDONTS
257685 Proxy Server 2.0 Security Checklist
165340 Change Permissions Needed on Index Server System Files
235874 Windows NT File System (NTFS) Permissions Required for Proxy Server 2.0

Properties

Article ID: 301464 - Last Review: June 11, 2007 - Revision: 4.3
APPLIES TO
  • Microsoft Active Server Pages 3.0
Keywords: 
kbaspobj kbcodesnippet kbhowto kbhowtomaster kbscript kbsecurity kbserver kbsysadmin kbwebserver KB301464
Retired KB Content Disclaimer
This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com