Userid/password with ASP?

Results 1 to 6 of 6

Thread: Userid/password with ASP?

  1. #1
    Tom Levesque Guest

    Default Userid/password with ASP?

    OK, my turn for a dumb question. Currently I have an area of my website which I want to be protected such that only people who have a correct userID and password can enter. When they first enter this area they put their userID and password into a form which then checks the values they entered against those in an Access database titled "users." If they entered a correct userid and password then it writes a cookie which expires after the session terminates and the cookie contains their userid and password. Now when they go to a page in the restricted area the page checks the cookie and if the cookie is OK they can vview the page.<BR><BR>Now, I just did this off the top of my head more or less without any knowledge of how a good, well written password protected area of a website is supposed to be done. Someone point out my mistakes and give suggestions please :)

  2. #2
    Markkk Guest

    Default RE: Userid/password with ASP?

    First of all, storing UserIDs and Passwords in a cookie are not a good idea. Someone can open the cookie on your pc and plainly see your UserID and Password. Also, the cookie is transmitted to the web server with every page request (opening the door for internet hackers to see the cookie). I suggest the following:<BR><BR>Once you validate that a web client has a valid UserID and Password, set a Session variable to indicate that they have Permission to View the page.<BR>e.g<BR>&#060;%<BR>IF UserID and Password are validated against database THEN<BR> Session("ViewPrivilege") = TRUE<BR>ELSE<BR> Session("ViewPrivilege") = FALSE<BR>END IF<BR>%&#062;<BR><BR>At the very beginning of the page being viewed, check their View Privileges:<BR><BR>&#060;%<BR>IF Session("ViewPrivilege") = TRUE THEN<BR> &#039---Serve them this Page---<BR>ELSE<BR> Response.Redirect "Logon.asp" &#039---or use Server.Transfer for IIS5<BR>END IF<BR>%&#062;<BR><BR>Its a good practice to set the Session("ViewPrivilege") variable to FALSE in the global.asa file ON_SESSION_START.<BR><BR>Using the Session variable approach has some Pros and Cons:<BR>PROS<BR>1. UserID and Password are not stored in a cookie, but rather in server memory.<BR>2. Internet hackers must intercept the data packet containing the initial Form data to get your UserID and Password. With the cookie method, a hacker has a chance to intercept your cookie with every page request, not just the initial single Form request. <BR><BR><BR>CONS<BR>1. Storing Session variables will require more server memory resources. For heavy web sites, this could be an issue.<BR>2. Storing UserIDs and Passwords in cookie better support web sites that use multiple servers in a cluster or web farm arrangement.<BR><BR>I hope this helps.

  3. #3
    Tom Levesque Guest

    Default RE: Userid/password with ASP?

    I wish I could convey how much you&#039ve helped me effectively. That answered every question in my head hehe :)<BR><BR>I wasn&#039t really familiar with using session vars or global.asa BUT what you say makes sense. My only question is does global.asa execute for ALL files on my server or JUST the files in the directory its in. In case two do I need to copy and paste it where I want? Does this work? Much thanks. :)<BR><BR>Hmm just occoured to me Global.asa might be useful for doing hit counters and all sorts of other things to track users coming to my website.. never really thought about the potential :)

  4. #4
    Tom levesque Guest

    Default RE: Userid/password with ASP?

    OOPS OK I&#039m looking at a global.asa generated by front page right now. I see Application_OnStart and Session_OnStart... which do I use or do I create my own and what is the difference?

  5. #5
    MArkkk Guest

    Default RE: Userid/password with ASP?

    When a new virtual directory is created on a IIS web server, you have the option of identifying the directory (and all of its subdirectories) as an "ASP Application". Once defined as an "ASP Application", IIS will use the global.asa file to perform special tasks:<BR><BR>Tasks when the Application is Started (Sub Application_OnStart)<BR>(tasks when the web server is rebooted, or when IIS is restarted)<BR><BR>Tasks when the Application is Ended (Sub Application_OnEnd)<BR>(tasks when the web server is Stopped)<BR><BR>Tasks when a New Session is Started (Sub Session_OnStart)<BR>(whenever a new web client hits the first page in your ASP Application)<BR><BR>Tasks when a Session is Ended (Sub Session_onEnd)<BR>(when web client leaves your site, logs off, or timeouts)<BR><BR>The global.asa only executes for the ASP Application is it assigned. The global.asa file must exist in the same directory as the root virtual directory fot the ASP Application.<BR><BR>The purpose of the global.asa file to to automatically initiate events (scripts) whenever the Application is Started, Ended, or whenever a Session is Started or Ended.<BR><BR>Keep in mind that all Applivcation variables and Session variables are lost whenever the server is rebooted. So, storing hit counters as Application variables is only a good thing if the server is NEVER shut down. once shutdown, the variables are lost. It is better to store page hits in a database or text file.<BR><BR>i hope this helps.

  6. #6
    Markkk Guest

    Default RE: Userid/password with ASP?

    Whenever creating or changing Application Variables, you must first LOCK the Application so that some other Session User doesn&#039t try to change the same variable at the same time:<BR><BR>Application.Lock<BR> Application("Visits") = Application("Visits") + 1<BR>Application.UnLock<BR><BR>The above script hold valid whether in the global.asa or in an ASP page. I believe that Application variables don&#039t have to be defined in the global.asa file....they can be dynamically created in a asp page. however, it is good practice to set the initial or default value for all Application variables in the global.asa file (Application_OnStart)<BR><BR>

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts