March 2, 2021
Hot Topics:

Simple Security with ASP

  • By Curtis Dicken
  • Send Email »
  • More Articles »
Creating a Simple Login Page

Now that you have determined what you need secure and how you are going to track your users, you will need a login page for the user. The login page below will verify the User Name and Password, display an error message when an incorrect entry in made, and redirect the user to your content page when a correct entry is given.

' ************************************************************************
' Check for enabled cookies by creating a test session variable and
' recalling the login page. If the session variable retains its value
' then your test is successful
' ************************************************************************
If Session("Access_Status") = "" _
AND Request.QueryString("test") <> 1 then

Session("Access_Status") = "Test"
Response.Redirect "login.asp?test=1"

ElseIf Session("Access_Status") = "" _
AND Request.QueryString("test") = 1 then

Response.Redirect "cookie_error.asp"

End If 

' ************************************************************************
' Verify User Name and Password. If correct set Session variable = Granted
' to check against on secure pages. Redirect User to the secured content.
' ************************************************************************
If LCase(Trim(Request("User_Name"))) = "user" _
AND Request("Password") = "password" then

Session("Access_Status") = "Granted"
Response.Redirect "Content.asp"

' ************************************************************************
' If not correct User Name and Password and user attempted to enter
' something, change status to Denied. Use this value to know when
' to display an error message.
' ************************************************************************
ElseIf Request("User_Name") <> "" _
OR Request("Password") <> "" then

Session("Access_Status") = "Denied"

' ************************************************************************
' Must be an initial view or the User entered nothing. Make sure the
' Access_Status = "" so the page will display without an error message
' ************************************************************************

Session("Access_Status") = "Test"

End If 


<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 4.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Login Page</title>


<p style="margin-top: 2; margin-bottom: 2"><font face="Arial Black" size="5">Welcome
to Security-R-Us.com . . .</font></p>
<p style="margin-top: 2; margin-bottom: 2"><font face="Arial Narrow" size="3">Securtiy-R-Us.com,
only where we want you to be.</font></p>
<hr align="left" width="80%" color="#000000">
<p style="margin-top: 2; margin-bottom: 2">&nbsp;</p>
<div align="center">
<table border="0" cellpadding="4" cellspacing="0" width="60%" style="background-color: #C0C0C0; color: #000000; border: 4 ridge #000000; margin-top: 2; margin-bottom: 2">
<td width="100%">
<p style="margin-top: 2; margin-bottom: 2"><font size="4" face="Arial"><b>Please
Login below:</b></font></p>

<% ' ************************************************************************ %>
<% ' Display error message when an incorrect User Name or Password is entered %>
<% ' ************************************************************************ %>
<% If Session("Access_Status") = "Denied" then %>

<p style="margin-top: 2; margin-bottom: 2" align="center"><font size="2" face="Arial" color="#FF0000">***
The User Name and/or Password you entered were incorrect. Try Again. ***</font></p>
<% End If %>

<form method="POST" action="login.asp">
<p style="margin-top: 2; margin-bottom: 2"><font face="Arial">User
Name: <input type="text" name="User_Name" size="20"></font></p>
<p style="margin-top: 2; margin-bottom: 2"><font face="Arial">Password:
<input type="password" name="Password" size="20"></font></p>
<p style="margin-top: 2; margin-bottom: 2">&nbsp;</p>
<p style="margin-top: 2; margin-bottom: 2" align="center"><input type="submit" value="Login" name="Login" style="background-color: #FFFFFF; font-family: Arial Black; font-size: 12pt; color: #000000" tabindex="3">&nbsp;&nbsp;&nbsp;&nbsp;
<input type="reset" value="Reset" name="Reset" style="background-color: #FFFFFF; color: #000000; font-family: Arial Black; font-size: 12pt" tabindex="4"></p>



The very first block of code executes a simple test to determine if cookies are enabled in the user's browser. The logic is very straight forward. First, I check to see if our Session variable "Access_Status" is null and if our QueryString variable "test" is null. If both are null it is assumed that this is the first time the user has visited this page. I then set the Session variable "Access Status" = "Test" and call the login page with the QueryString "test" set equal to 1. This way I know that the first phase of the test has been completed. On the next trip to the page the QueryString will be equal to 1. If the Session variable we used is still null then I redirect the user to a new page called cookie_error.asp which lets them know that they must use a browser that supports cookies and cookies must be enabled. If the QueryString test is equal to 1 and the Session variable is not null then I move on to the user name and password verification.

The page continues with a simple if .. then statement. I use Trim to get rid of any extra spaces and Lcase to make a case insensitive comparison. I want the Password to be exact, so I leave the comparison case sensitive and I do not get rid of any extra spaces. If the user has entered the correct User Name and Password, I set the "Access_Status" equal to "Granted" to check against on secured pages and then I redirect the user to the content that they want to view.

If failing to make a correct match I move to make sure that they made an attempt at entering the correct User Name and Password by checking to see if the User_Name and Passowrd fields contain anything. If there was attempt made I then set the session variable "Access_Status" equal to "Denied". I will then use this to display an error message when the page reloads.

If both of the previous criteria fail then there were either no entries made or this is the first time the page is being viewed. Either way, we just need to display the basic form, so we reset the "Access_Status" equal to "Test" to make sure the error message does not display and to skip the cookie verification.

Now you have a simple login page. I will add more features and flexibility to this page in future part of the series.


Securing your pages

Now that your login page has been created it's easy to secure your pages. Simply add the following code to the top of any secured content page making sure that the page has the .asp extension.

<% Option Explicit %>

' ***************************************************
' Check to see if user has access to this page
' ***************************************************
If Session("Access_Status") <> "Granted" then

Response.Redirect "login.asp"

End If


What could be simpler than that? If they don't have access then send them to the login page. You have now added basic security to you website.


# # #

Page 2 of 2

This article was originally published on November 30, 2001

Enterprise Development Update

Don't miss an article. Subscribe to our newsletter below.

Thanks for your registration, follow us on our social networks to keep up-to-date