Posts Tagged ‘ASP’

17 comments

Simple ASP Authentication System


2010
02.16

Tags: , , , , , , , , ,
Posted in technology | 17 Comments »


This article describes how you can secure ASP applications using simple, but quite effective authentication schemes. This article uses a very simple way to achieve this. Just follow the steps and you have a secure login system.

Step 1: Create a table of users

Just create a simple table of user logins and passwords. I have included a database userinfo.mdb with this example, which contains a sample table tUsers. tUsers has two fields – Username and UserPassword. Username is the primary key.

Download and copy this database on your hard disk.
Step 2: Set the default authentication status

This you do in the gobal.asa file. All you have to do is, set a session variable to a default “not authenticated” status.

Why? Because, when a users first come into the application, they are not valid until you have checked their “credentials.” The default status makes sure that everyone has to go through the front door.

In global.asa file, within the Session_OnStart event, write this code

<SCRIPT LANGUAGE=VBScript RUNAT=Server>
SUB Session_OnStart
‘ This is the default authentication status
Session(“Authenticated”) = 0
END SUB
</SCRIPT>

The authentication status is the most important thing to keep in mind, so don’t forget this.

Step 3: Create a login page

This is an ASP page, with just HTML in it. Call it say login.asp. For your convenience, here is the sample code:

<HTML>
<BODY BGCOLOR=FFFFFF>
<FORM ACTION=”verify.asp” METHOD=POST>
Name:
<INPUT SIZE=20>

Password:
<INPUT SIZE=20>
<INPUT VALUE=”Login Now”>
</BODY>
</HTML>

It contains a form with 2 INPUT elements. These elements are used to collect the user name and password of the user. This information we POST to verify.asp where we verify if the user is valid or not.

Step 4: Create the system DSN for the database

In order to access the userinfo.mdb, we need to create a system DSN in ODBC. If you are familiar with ASP, you can choose your own DSN scheme. To create a system DSN, do the following:

  • Open the Control panel of your machine (in Start ..Settings menu in Windows 95/NT)
  • Click on “ODBC”
  • Click on “System DSN” tab
  • Click “Add”. Choose the “Microsoft Access Database Driver”, and click “Finish”
  • Give the DSN a name, say “LoginDSN” In “Database” settings, click “Select” and point to the userinfo.mdb on your hard disk.
  • Click OK

This sets up a system DSN named “LoginDSN” on your machine. This will point to the userinfo.mdb on the hard disk.

Step 5: Create an authentication page

This is the verify.asp page we saw in step 3. In this page, we check for valid users. We get the user information from the login.asp (remember the form elements?)

Our intent is

    • Check for valid users and set the authentication status accordingly
    • If the user is valid, the authentication status is 1
    • If the user is invalid, the authentication status is 0

The code for verify.asp is as shown below. You can modify it accordingly.

<%
‘ Create a command object. This object serves to run our queries
Set Cm = Server.CreateObject(“ADODB.Command”)

‘ Specify the system DSN path
Cm.ActiveConnection = “LoginDSN”

‘ Now it’s time for the query. We need to check the user information
‘ against the table tUsers
Cm.CommandText = “SELECT * FROM tUsers WHERE ” & _
“UserName=’” & Request.Form(“UserName”) & “‘ AND ” & _
“UserPassword=’” & Request.Form(“UserPassword”) & “‘ ”

‘ Set the query type. 1 means it is a SQL statement
Cm.CommandType = 1

‘ Retrieve the results in a recordset object
Set Rs = Cm.Execute

‘ We now check if the user is valid. If user is valid, the recordset MUST
‘ haverecord. Otherwise it is empty. If user exists, we set authentication
‘ status to 1 and send the user to appropriate page, say welcome.asp.
‘ Else send the user back to login.asp
If Rs.EOF Then
Session(“Authenticated”) = 0
Response.Redirect (“login.asp”)
Else
Session(“Authenticated”) = 1
Response.Redirect (“welcome.asp”)
End If
%>

Step 6: Check the authentication status

This is the important piece of our system. We must check the authentication status on EACH ASP PAGE that we want to be secured. This is simple to do. Just check if the authentication status is 1, if not send the user back to login.asp. The sample code is

<%
If Session(“Authenticated”) = 0 Then
Response.Redirect (“Login.asp”)
End If
%>

Alternatively, you can copy this code into a file, say check.inc, and include the following code on top of your files instead.

<!– #include file=”check.inc” –>

As I mentioned before, this code needs to go on TOP of each page that you want to protect.

The above 6 steps help you to create a simple authentication system. Remember that this system protects ONE virtual directory and not the whole web site. You need to create one for each virtual path you want to secure.

Also, the above system is targeted towards new users. The database and the code is kept simple so you can learn from it. The entire system can be downloaded from this site. The zipped file contains the database and all the files.

About the Author

Syed Yasir Hashmi http://www.yasir.in is an I.T guru working in the industry for the last 12 years

Popularity: 13% [?]

  • Share/Bookmark
1 Comment

Using ASP for Form Handling


2010
02.16

Tags: , , , , , , , , , , , ,
Posted in technology | 1 Comment »

In this article, we will discuss how to use Microsoft ASP technology to handle user-submitted form data and then send that data to someone via email with Microsoft’s Collaboration Data Object for NT Server (CDONTS).

Introduction

Microsoft’s Active Server Page technology is a powerful server-side scripting method of web development that allows any web developer with a web server powered by NT’s Internet Information Services (IIS) and a basic understanding of HTML and VBScript to create powerful dynamic web pages.

This article assumes that you have the basic HTML and VBScript understanding mentioned above. However, I will explain anything that is crucial to your understanding.

If you have ever created or thought about creating an HTML form for user input on your web site, then you must have also dealt with the issue of handling the data once it is submitted (ie. where does the data go and how does it get there). As you may already know, if you want the information submitted to be emailed to you, you can simply put your email address in the action field of the FORM tag like this:



<form action="mailto:corinth@enfused.com" method="get" enctype="text/plain">








TIP: If you do not have time or the resources to program an ASP page or Perl script to   handle your form’s submitted data, you can use a little-known HTML trick to   make the submitted form data reach your inbox in a legible fashion. By adding   enctype="text/plain" to your form tag, the output will come across as   standard plain text rather than that garbled mess that normally comes across   when you set the action equal to mailto:some_email@address.com.






However, you probably also know that when you use the mailto action, your users will get an obnoxious and frightening security warning, and we do not want to scare your users away!


To avoid the security alert, you have a couple of options. First, if you are developing in a UNIX environment, using Perl and CGI would probably be your best bet. .


On the other hand, if you are developing in an NT environment, while you may still use Perl and CGI if Perl is installed on your server, it is recommended that you use ASP because it is easier to code and a bit more intuitive, for novices and experts alike.


In the remainder of this article, I will show you how to use ASP to handle the form data and then send it to an email address using the Collaborative Data Object for NTS (CDONTS), a special Windows NT COM object designed to send mail through the SMTP service on your web server.


Learn how to create and handle Web-based forms using ASP.


Forms collect data from the user and post it back to the server for processing. They feature in guest books, feedback pages, shopping carts, search engines, and almost all interactive websites. In this tutorial, we’ll show you how you can use ASP to get at the data that’s sent to the web server from a form.


Form Basics


All HTML forms are created using the form element:


 


<form method="xxxx" action="xxxx">


 


(form fields in here)


 


</form>


The method attribute controls how the information that the user enters in the form is sent to the server. The two options are:


GET 


Sends the form data as part of the URL (e.g. "script.pl?& email=joe@joe.com"). This is the default option. It’s useful and efficient for small amounts of data (e.g. a search engine query) and it’s easy for the user to refresh the results of the form by just pressing the browser’s refresh button. However it cannot be used for large amounts of data (more than a few hundred bytes).


POST 


Sends the form data encoded in the HTTP data stream. This is recommended for most types of forms (e.g. feedback forms and form mailers). The user will not see the form data in the URL. Large amounts of data can be sent this way. Unlike the GET method, the user cannot easily refresh the form results page – they usually see a dialog asking if they want to resend the form data – but this is often a good thing!


The action attribute specifies where the form data submitted by the user will be sent. Usually this is the URL of a script on the server – for example, http://www.yoursite.com/feedback.asp or http://www.yoursite.com/poll.asp.


If you’re thinking you recognise this part of the tutorial, that’s because it’s part of the ELATED HTML Forms tutorial. If you need any help on creating form fields, you might like to check out that tutorial.


Request.Querystring


We use the Request.Querystring collection to retrieve data posted from forms that use the GET method. The collection contains an entry for each form field posted to the server. Assume we have an HTML form as follows:


 


<form method="get" action="querystring.asp">


  Title: <select>


    <option value="Mr">Mr.</option>


    <option value="Miss">Miss</option>


    <option value="Ms">Ms.</option>


    <option value="Mrs">Mrs.</option>


  </select><br>


  First name: <input><br>


  City: <input><br>


  <input value="Send">


</form>


We could use


 


Request.Querystring("title")


Request.Querystring("firstname")


Request.Querystring("city")


to retrieve the values entered by the user. There would be a named entry for each named form field, so the “submit” button would also result in a value being stored in Request.Querystring("submit").


Request.Form


ASP provides the Request.Form collection to retrieve data sent from forms using the POST method. As with the QueryString collection, the Form collection also contains an entry for each form field posted to the server. So, taking our example form above and changing the GET method to be a POST, we could use:


 


Request.Form("title")


Request.Form("firstname")


Request.Form("city")


Request.Form("submit")


to retrieve the values entered by the user. Sometimes you’ll see ASP code where Request.QueryString("field_name") or Request.Form("field_name") has been written as Request("field_name"). This is a valid short-hand notation, however it is usually a good idea to explicitly reference the collection you want to use – it’s faster to execute and it avoids ambiguity where an item in a different collection might have the same name.


Multiple values


Sometimes we might have a form that contains a set of checkboxes. If we make these a group by giving them the same name, all the checked box values will be sent to the server using the same field name:


 


<form method="post" action="checkbox.asp">


  Please check the boxes to indicate your interests:<br>


  <input value="film"> Film<br>


  <input value="music"> Music<br>


  <input value="theatre"> Theatre<br>


  <input value="sports"> Sports<br>


  <input value="Send">


</form>


Assume we checked all four boxes, we can access the values like this:


 


Request.Form("interests")(1)


Request.Form("interests")(2)


Request.Form("interests")(3)


Request.Form("interests")(4)


We can also use the Count property to find out how many values were submitted. (In the above example, Request.Form("interests").Count equals 4.) This allows us to loop through the values using a For ... Next loop:


 


For counter = 1 To Request.Form("interests").Count


  Response.Write "You selected " & Request.Form("interests")(counter) & "<br>"


Next


(If you’re not familiar with loops, you might want to read our loops tutorial.) However, usually we’d want to use code like this to retrieve the data:


 


For Each item In Request.Form("interests")


  Response.Write "You selected " & item & "<br>"


Next


This loops through each of the values submitted one at a time and outputs each one. Unlike the previous For counter = 1 To Request.Form("interests").Count ... Next loop, the example above will work even when no checkboxes were selected.


In this tutorial, we’ve learnt how to access form data using ASP. This is a key skill that you’ll use time and again when creating websites. To make the most of forms, you’ll probably want to either store the data, or email the data to someone. We’ll show you how to do these in future ELATED tutorials


About the Author   


Syed Yasir Hashmi http://www.yasir.in is an I.T guru working in the industry for the last 12 years


Popularity: 2% [?]
  • Share/Bookmark





				
				




			


		
		

			

			

		

	
	












  

    
      
      
      
      
      
      
      
        
        
        
        
        
		

         Get Adobe Flash playerPlugin by wpburn.com wordpress themes

       
    
  













		
        
My Highlights
         powered by 
        RoohIt
        (for WordPress)