Home

ASP ADVANCED

This section shows how to use the ADO to password-protect your Web site. You learn how to create a registration page that new visitors can use to register for your Web site. You also learn how to prevent visitors from viewing pages that they don't have permission to access.

Why is a custom password-protection system necessary? You can configure IIS to use either Basic or Windows NT Challenge/Response authentication. By using either authentication system, and changing permissions on files, you can force users to enter a password before they can access certain pages.

There is a problem, however, with using either Basic or Windows NT Challenge/Response authentication. Both of these authentication systems are integrated with Windows NT security. This means that you have to manually add a user every time a new user registers. It also means that you can't easily access and modify passwords and usernames from your Active Server Pages.

If you merely want to password-protect certain pages of your Web site for yourself and other administrators, either of the authentication systems provided by IIS is appropriate. However, suppose you want to automatically register new users of your Web site after they provide such information as a telephone number or credit card number? In that case, you need to create a custom password-authentication system.

In this section, you learn how to use the ADO to create a custom password-authentication system. You need to create the following database table and two files:

WebUsers table. This database table contains registration information.
Registration page. This Active Server Page contains a registration form. By completing the form, a new user can gain access to your Web site.
Password Include file. This file must be included in every Active Server Page that you want to password-protect.

Creating the WebUsers Table

The WebUsers table is a SQL Server table that contains only three columns. The first column holds user names, the second column holds user passwords, and the third column holds user telephone numbers.

To create this table, launch ISQL/w from the Microsoft SQL Server program group. Next, type the following text into the querv window and execute it:

CREATE TABLE WebUsers (UserName VARCHAR(30),
UserPass VARCHAR(30),
UserPhone VARCHAR(30))

Whenever a new visitor attempts to access a password-protected page, the user's name and password are checked against this table.

Creating the Registration Page

The Registration page is used to allow new visitors to your Web site to register. If someone who doesn't have a valid password attempts to access a password-protected page, he or she will be redirected to this page.

The Registration page uses one big conditional. If all the fields in the HTML form haven't been completed, the HTML form appears. Otherwise, if all the information has been entered, three things happen:

First, the registration information is inserted into the WebUsers database table.
Second, the session variables named UserName and UserPass are assigned the new username and password.
Finally, the user is redirected back to the page where that user originated (if this is unknown, the user is sent to the home page).

The Registration page requests very little information from the user. However, you can easily extend this example to ask the user anything you want. For example, you may require the user to enter a credit card number or an address before using your Web site. To do this, just add the extra fields to the HTML form and the WebUsers database table. Listing below shows the script for the Registration page.

Listing Script for register.asp.

<%
CONST HomePage="/default.asp"

'   Check If Registration Information Is Incomplete
IF Request.Form("UserName")=" " OR Request.Form("UserPass")=" " OR Request.Form("UserPhone")=" " THEN
%>
<HTML>
<HEAD><TITLE>Registration Page</TITLE></HEAD>
<BODY BGCOLOR=#FFFFFF>
<H2>Please complete all of the following information:</H2>
<FORM METHOD="POST"
ACTION="<%=Request.ServerVariables("SCRIPT_NAME")%>">
<TABLE>
<TR>
<TD ALIGN=RIGHT>User Name:</TD>
<TD><INPUT NAME="UserName" TYPE="TEXT"
VALUE="<%=Request.FORM("UserName")%>"></TD>
</TR><TR>
<TD ALIGN=RIGHT>Password:</TD>
<TD><INPUT NAME="UserPass" TYPE="PASSWORD"
VALUE="<%=Request.FORM("UserPass")%>"></TD>
</TR><TR>
<TD ALIGN=RIGHT>Phone Numner:</TD>
<TD><INPUT NAME="UserPhone" TYPE="TEXT"
VALUE="<%=Request.FORM("UserPhone")%>"></TD>
</TR><TR>
<TD ALIGN=RIGHT COLSPAN=2><INPUT TYPE="SUBMIT" VALUE="Continue">
</TD>
</TR>
</TABLE>
</FORM>
</BODY>
</HTML>
<%
ELSE
'   Ready Database Objects
Set MyConn=Server.CreateObject("ADODB.Connection")
MyConn.Open "FILEDSN=d:\Program Files\Common Files\ODBC\Data Sources\MyData.dsn"
'   Insert The Registration Information Into WebUsers
MYSQL="INSERT WebUsers (UserName, UserPass, UserPhone) VALUES ("
MySQL=MySQL&" ' "&Request.FORM ("UserName")&" ' "
MySQL=MySQL&" , ' "&Request.FORM("UserPass")&" ' "
MySQL=MySQL&" ,' "&Request.FORM("UserPhone")&" ')"
MyConn.Execute MYSQL
MyConn.Close

'   Create Session Variables
Session("UserName")=Request.FORM("UserName")
Session("UserPass")=Request.FORM("UserPass")

'   Redirect The User To The Appropriate Page
IF Session("GoBack")=" " THEN Session("GoBack")=HomePage
Response.Redirect Session("GoBack")
END IF
%>

Creating the Password Include File

The Password Include file is included in every Web page that you want to password-protect. It checks whether the session variables UserName and UserPass exist. If they don't exist, the user is asked to enter a name and password. This name and password are checked against the WebUsers table. If the password is invalid, the user is redirected to the registration page. Listing below shows the script.

Listing Script for pass.inc.

<%
IF Session("UserName")=" " OR Session("UserPass")=" " THEN
IF Request.FORM('UserNalme")=" " OR Request.FORM("UserPass")=" "THEN
%>
<HTML>
<HEAD><TITLE>Enter Password</TITLE></HEAD>
<BODY>
<H2>To access this page, you must enter a password: </H2>
If you are a new user, click
<A HREF="register.asp"> here. </A>
<FORM METHOD="POST"
ACTION="<%=Request.ServerVariables("SCRIPT_NAME")%>">
<TABLE>
<TR>
<TD ALIGN=RIGHT>NAME</TD>
<TD><INPUT NAME="UserName" TYPE="TEXT"></TD>
</TR><TR>
<TD ALIGN=RIGHT>PASSWORD</TD>
<TD><INPUT NAME="UserPass" TYPE="PASSWORD"></TD>
</TR><TR>
<TD ALIGN=RIGHT COLSPAN=2>
<INPUT TYPE="SUBMIT" VALUE="Continue"></TD>
</TR>
</TABLE>
</FORM>
</BODY>
</HTML>
<%
Response.End
ELSE
'   Ready Database Objects
Set MyConn=Server.CreateObject("ADODB.Connection")
MyConn.Open "FILEDSN=d:\Program Files\Common Files\ODBC\Data Sources\MyData.dsn"

'   Check The Password
MYSOL="SELECT UserName FROM WebUsers
WHERE USERNAME=' "&Request.FORM("UserName")
MySQL=MySQL&" ' AND USERPASS=' "&Request.FORM("UserPass")&" ' "
SET RS=MyConn.Execute(MySQL)

'   If the password is bad, redirect to the Registration Page
IF RS.EOF THEN
RS.CLOSE
Session("GoBack")=Request.ServerVariables("SCRIPT_NAME")
Response.Redirect "register.asp"
Response.END
END IF
RS.CLOSE
END IF
END IF
%>

Testing the Custom Password System

To implement this password-protection system on your Web site, you need to include the file named pass.inc in every Active Server Page you want to password-protect. (You can't include this file in normal HTML pages.) Listing below shows a simple example of how it's done.

Listing Script for testpass.asp.


<HTML>
<HEAD><TITLE> Restricted </TITLE></HEAD>
<BODY>
Only registered users can see this sentence!
</BODY>
</HTML>

This Active Server Page is displayed only to registered users. While testing the pages in this section, you can use the Session.Abandon method to drop your session variables. After the UserName and UserPass session variables are dropped, you have to enter a password again to access a password-protected page.

Summary

This chapter explored how to use the Command object to execute SQL stored procedures. You learned how to pass and retrieve input parameters, output parameters, and return values. The second section of this chapter presented two sample applications that utilized the ADO. You learned how to create an advanced feedback page. You also learned how to password-protect your Web site.

This is the final chapter on the objects and components included with Active Server Pages.