To read the article online, visit http://www.4GuysFromRolla.com/webtech/090600-1.3.shtml

Logins and Permissions, Part 3

By Peter McMahon


  • Read Part 1
  • Read Part 2

  • In Part 2 we looked at creating a menu based upon the person who was logged in. In this part, we'll look at how to secure our "sensitive" Web pages so that users cannot slip by our login screen and view information they're not suppose to see!

    Securing the Pages
    The above method of creating a secure login is utterly useless unless you individually secure each page. Unless you do this, the script will have the same effectiveness as a client-side JavaScript login where the user is simply redirected if they log in successfully. There is nothing stopping you from going directly to the main page, or any of the other pages that are supposedly secured. The secret to preventing this is to be able to check whether the user has logged in. A session variable is possibly the best solution for checking to see whether the user has recently logged in and what permissions they have. The session variable Status is defined in the login script (if you log in successfully of course). Obviously if you do not login, the session variable will not be set. Each secure page will require a few short lines to check whether the user has logged in. This code then needs to redirect the user to the login page, thus disallowing them to view the contents of the secured page. Here's the code used:

    <%
       Response.Buffer = True
       If Session.Contents("status") <> "Administrator" Then
          Response.Redirect "login.html"
       End If
    %>
    <HTML>
    ...Rest of HTML/ASP code here...
    

    This needs to be placed at the top of every page that needs to be secured. You could use a server-side include to reduce this to one line though, with a file named secure.inc with the following code in it:

    <%
       Response.Buffer = True
       If Session.Contents("status") <> "Administrator" Then
          Response.Redirect "login.html"
       End If
    %>
    

    And then this code at the top of each page:

    <!-- #INCLUDE FILE="secure.inc" -->

    Another important factor is the presence of the actual status of the user. In the above example, only users who have logged in as an Administrator will be allowed to access the page. This could be replaced with the other classes or groups of users that you may have, such as customers and salespersons, like this:

    <%
       Response.Buffer = True
       If Session.Contents("status") <> "Customer" Then
          Response.Redirect "login.html"
       End If
    %>
    

    Your administrative users will generally be allowed to view everything on the site, so you must add another condition to the if statement, allowing two user classes to have access to that particular page. It is simply a matter of adding AND Session.Contents("status") <> "Administrator" to the If statement, like this:

    <%
       Response.Buffer = True
       If Session.Contents("status") <> "Customer" AND _
          Session.Contents("status") <> "Administrator" Then
          Response.Redirect "login.html"
       End If
    %>
    

    This code provides a very basic, yet secure login solution. If however, you'd like something a little more secure, then read Part 4!.

  • Read Part 4!


  • Article Information
    Article Title: Logins and Permissions, Part 3
    Article Author: Peter McMahon
    Published Date: Wednesday, September 06, 2000
    Article URL: http://www.4GuysFromRolla.com/webtech/090600-1.3.shtml


    Copyright 2017 QuinStreet Inc. All Rights Reserved.
    Legal Notices, Licensing, Permissions, Privacy Policy.
    Advertise | Newsletters | E-mail Offers