When you think ASP, think...
Recent Articles
All Articles
ASP.NET Articles [1.x] [2.0]
ASPFAQs.com
Message Board
Related Web Technologies
User Tips!
Coding Tips
Search

Sections:
Book Reviews
Sample Chapters
Commonly Asked Message Board Questions
Headlines from ASPWire.com
JavaScript Tutorials
MSDN Communities Hub
Official Docs
Security
Stump the SQL Guru!
Web Hosts
XML Info
Information:
Advertise
Feedback
Author an Article
Technology Jobs

















internet.com
IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers
ASP ASP.NET ASP FAQs Message Board Feedback ASP Jobs
Print this page.

Windows Systems Administrator
Jupitermedia
US-CT-Darien

Justtechjobs.com Post A Job | Post A Resume

Published: Wednesday, September 06, 2000

Logins and Permissions
By Peter McMahon

The Problem
I was approached to build a financial tracking system for the company I work for during December of 1999. This system would allow the financial people and managers to login, view all the data, and modify it. The employees would be able to login and see what they would be owed for the month (employees are paid on a commission basis). They would only be allowed to see what they were earning, not what anyone else was earning. It was imperative that the data could not be tampered with if someone simply knew the names of the files where the data could be edited, so login state had to be kept. The admin users also needed to be able to add, delete, and modify users.

- continued -

SSL
SSL, or Secure Socket Layers (denoted by URLs that start with https://) should play a very large role in the security mechanisms of your site if you are serious about security. SSL allows information to be transferred securely over the Internet between two parties using a public-key/private-key authentication method to ensure the identity of both parties (you can read more about how SSL works by reading the articles in the Security Section). If the information that you will be transferring is sensitive (such as financial information), then I strongly recommend that you integrate SSL into your security mechanisms. Most important is the user login form. This is a bare minimum as to what should be protected using SSL, as should someone gain usernames and passwords to the site, you have a very serious security breach.

Database Design
The first thing I do when I receive a project like this is take out a piece of paper and work out what tables and columns I'm going to need in the database. Following that, I load up MS Access and design my tables. Below is the Logins table for this project:

The Logins database table.

Obviously, the Logins table would require a Username and a Password column, however I decided on also adding a third column, Status, which would be used to determine the permissions of any particular user. For example, a user with the status of "Administrator" would be able to view all of the financial documents, whereas a user with the status of "Designer" would only be able to see their financial information.

The Solution
The first page that needs to be created is the login form. I developed a standard form in an HTML file, login.html: 

<HTML>
<HEAD>
<TITLE>Login</TITLE>
</HEAD>
<BODY>
<FORM ACTION="login.asp" METHOD="post">
<TABLE BORDER="0">
<TR>
   <TD VALIGN="Top">Username:</TD>
   <TD VALIGN="Top"><INPUT TYPE="text" NAME="txtUsername"></TD>
</TR>
<TR>
   <TD VALIGN="Top">Password:</TD>
   <TD VALIGN="Top"><INPUT TYPE="password" NAME="txtPassword"></TD>
</TR>
<TR>
   <TD VALIGN="Top"></TD>
   <TD VALIGN="Top"><INPUT TYPE="submit" VALUE="Login"></TD>
</TR>
</TABLE>
</FORM>
</BODY>
</HTML>

It is important that you use the HTTP POST method to send the login data, not GET, as users would be able to see passwords in the client's browser history, amongst other things that would pose a security threat.

The next file that needs to be created is login.asp, which will process the login information and set the login state. Here's the basic idea of how the code works:

  • Load entries from the database Logins table where the Username column is equal to the inputted user name.
  • If the returned Recordset is empty (EOF is True), the user name does not exist. Report an error.
  • If the returned recordset isn't empty, the user name exists. Check the current record's password against the inputted one.
  • If they do not match, the password is incorrect. Report an error.
  • If they do match, the password is correct. Set a session variable to store the state of the user.

Here's the code used: 

<%
   Response.Buffer = True
   Dim objConn, objRS
   Session.Contents("status") = ""
   Set objConn = Server.CreateObject("ADODB.Connection")
   objConn.Open "DSN=LoginTest;"
   Set objRS = objConn.Execute("SELECT * FROM Logins WHERE Username = '" & _
      Request.Form("txtUsername") & "'")
   If Not objRS.EOF Then
      If objRS(1) = Request.Form("txtPassword") Then
         Session.Contents("status") = objRS(2)
         Response.Redirect "menu.asp"
      Else
      End If
   Else
      Response.Write "Sorry, but the username does not exist."
   End If
   objRS.Close
   Set objRS = Nothing
   objConn.Close
   Set objConn = Nothing
%>

The script is fairly basic and simply opens a database, requests a recordset, checks to see if it's empty or not using the EOF property (which is true if the recordset is empty), returns errors if appropriate, and redirects the browser if required. The next page that requires attention is menu.asp that the user is redirected to once they have successfully logged in. We'll discuss the menu in Part 2!

  • Read Part 2

    Windows Internet Technology | ASP.NET [1.x] [2.0] | ASPMessageboard.com | ASPFAQs.com | Advertise | Feedback | Author an Article



    • JupiterOnlineMedia

    internet.comearthweb.comDevx.commediabistro.comGraphics.com

    Search:

    Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia

    Jupitermedia Corporate Info


    Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

    Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers
    Solutions
    Whitepapers and eBooks
    Microsoft Article: HyperV-The Killer Feature in WinServer ‘08
    Avaya Article: How to Feed Data into the Avaya Event Processor
    Microsoft Article: Install What You Need with Win Server ‘08
    HP eBook: Putting the Green into IT
    Whitepaper: HP Integrated Citrix XenServer for HP ProLiant Servers
    Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 1
    Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 2--The Future of Concurrency
    		 Avaya Article: Setting Up a SIP A/S Development Environment
    IBM Article: How Cool Is Your Data Center?
    Microsoft Article: Managing Virtual Machines with Microsoft System Center
    HP eBook: Storage Networking , Part 1
    Microsoft Article: Solving Data Center Complexity with Microsoft System Center Configuration Manager 2007
    MORE WHITEPAPERS, EBOOKS, AND ARTICLES
    Webcasts
    Intel Video: Are Multi-core Processors Here to Stay?
    On-Demand Webcast: Five Virtualization Trends to Watch
    HP Video: Page Cost Calculator
    Intel Video: APIs for Parallel Programming
    		HP Webcast: Storage Is Changing Fast - Be Ready or Be Left Behind
    Microsoft Silverlight Video: Creating Fading Controls with Expression Design and Expression Blend 2
    MORE WEBCASTS, PODCASTS, AND VIDEOS
    Downloads and eKits
    Sun Download: Solaris 8 Migration Assistant
    Sybase Download: SQL Anywhere Developer Edition
    Red Gate Download: SQL Backup Pro and free DBA Best Practices eBook
    		 Red Gate Download: SQL Compare Pro 6
    Iron Speed Designer Application Generator
    MORE DOWNLOADS, EKITS, AND FREE TRIALS
    Tutorials and Demos
    How-to-Article: Preparing for Hyper-Threading Technology and Dual Core Technology
    eTouch PDF: Conquering the Tyranny of E-Mail and Word Processors
    IBM Article: Collaborating in the High-Performance Workplace
    		 HP Demo: StorageWorks EVA4400
    Microsoft How-to Article: Get Going with Silverlight and Windows Live
    MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES