|
|
 |
|
|
Published: Wednesday, July 07, 1999
A recent project I developed was for a group of local school districts that wanted to be able to view school bus ridership statistics and data via the web. The application was constructed so that the end user could drill down through the bus ridership data in the following order:
At each level the user can see summary statistics for that level and can drill down into the next level. An early decision made was that all page creation had to be built dynamically from a database, so that, for example, if new bus routes were added or deleted, no programatic changes were needed in the internet application. The solution was an internet-based Access 97 database and ASP pages. Microsoft Access was selected primarily because the size of the database would remain relatively stable, and a defined number of users meant no significant concurrency issues. A nice feature of building ASP pages for Microsoft Access is that the code can be quickly ported to another database, such as Microsoft SQL Server, simply by modifying the connection statements. This series of articles reviews some of the processes that were developed to implement the application.
Securing the
Site Sounds easy, there are many ways to secure an ASP site, using NT security, 3rd party controls, databases, or script code. For this application, the user had to be allowed to access the application and login with any browser type and from behind any firewall or proxy server that they had in place. Additionally, many of the users were were on NT networks that used DHCP for assigning IP addresses. What does this mean? If you have ever tried to implement NT or IIS security on a system that has users coming in from different networks, domains, firewalls, proxies and browser types, you have certainly seen errors such as this before: From Internet
Explorer:
Why? Well, here's just one example of what might have happened. Believe me, this is just one example of the type of mess you get into developing security solutions. When a user makes a request to the Internet Information Server (IIS), it begins as an Anonymous request. Only when the user requests a restricted directory will the user be prompted for logon credentials. Another option was to go with 3rd party server-side authentification. There are several good products out there that do this. However, in this case the client said no to the money. Too bad, it would have been money will spent. So next, I was off to write my own ASP solution. Some standard methods of doing this did not pan out. For example, I could not restrict access by IP address because some of my users had dynamically generated IPs, either from there ISP or their Windows NT DHCP system. Restricting by domain did not seem adequate. Evaluating the security needs again to see what was really needed, I settled on a simple solution. I only needed one group account, a simple verification that the user was allowed to use the site. I ended up with this simple all ASP solution. Create a login form such as this:
Save the file as "authentication.htm" and place it in a separate directory from my ASP or HTML files, such as an "/include/authentication.htm". Next create the "security.inc" file. This file is included at the top of every page that requires validation.
Next, include the following in every ASP or HTML file of your site, by typing
at the top of every page. The line: <% response.buffer = true %> statement does not allow the page to be displayed before processing is complete. There you have it. Before each page is loaded, the "security.inc" file will test for a valid session, which means a valid login. If the session does not exist then the user is sent back to the login page. The nice feature of this is that the user cannot enter the site by bypassing the default home page. You can enhance this by adding more valid logins, or with a little work, even different levels of logins. Also, you can set up your site so that certain pages require a valid login, while others do not. Only pages with the <!--#INCLUDE FILE="security.inc"--> at the top require validation. Next ... Making the connection to the database
Directed Minds is a web development company specializing in hosting and developing ASP, database and ecommerce solutions for large and small organizations. Roger Drye is the owner of Directed Minds. He has been developing Internet solutions for small and large companies and government entities for many years.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 |
 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
| |||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||
