Skip to page content or Skip to Accesskey List.

Work

Main Page Content

Creating A Login Script With Asp Part Ii

Posted on 31 May 2002

in Code

by Neil McGill (Neil)

Rated 3.83 (Ratings: 4)

Want more?

  • More articles in Code
 

Neil McGill

Member info

User since: 31 May 2002

Articles written: 2

In part I, we created a simple password protection for a single user to protect part of a website. Now, we will explore how to add error messages, allow users to logout/re-login, and query a database for the user name and password entered.

Updating the current script

First of all, we are building on the code already produced in part I. Find the code in the login.asp from part I shown below:

login.asp

If Request.Form("login") = "true" Then
    CheckLogin
Else
    ShowLogin
End If

And replace it with:

login = Request.Form("login")
If login = "logout" Then
    Session("UserLoggedIn") = ""
    ShowLogin
Else
    If Session("UserLoggedIn") = "true" Then
        AlreadyLoggedIn
    Else 
        If login = "true" Then
            CheckLogin
        Else
            ShowLogin
        End If
    End If
End If

Next we will add the subroutine AlreadyLoggedIn to tell the user they are logged in and ask if they want to logout/login again.

<%
Sub AlreadyLoggedIn
%>
You are already logged in.
Do you want to logout or login as a different user?
<form name=form2 action=login.asp method=post>
<input type=submit name=button1 value="Yes">
<input type=hidden name=login value="logout">
</form>
<%
End Sub
%>

Error Checking

Now to add error checking we need to declare a global error message variable, add code to format the error message and print out the message if needed.

Declare the variable to hold the error message near the top of the login page.

Dim Error_Msg

And we add this little bit of code to the beginning of the login form. This will print out an error message if there is one.

Response.Write(Error_Msg & "<br>")

What about other users?

Well, now all that is left to do add the code that checks the user name and password against a database. In order to do this we will rewrite the CheckLogin subroutine from Part I. 

Sub CheckLogin
If LCase(Request.Form("username")) = "guest" And LCase(Request.Form("userpwd")) = "guest" Then 
    Session("UserLoggedIn") = "true"
    Response.Redirect "protectedpage.asp"
Else
    Response.Write("Login Failed.<br><br>")
    ShowLogin
End If
End Sub

will now look like this: (assuming you use an Access Database - change the connections if different)

Sub CheckLogin
Dim Conn, cStr, sql, RS, username, userpwd
username = Request.Form("username")
userpwd = Request.Form("userpwd")
Set Conn = Server.CreateObject("ADODB.Connection")
cStr = "DRIVER={Microsoft Access Driver (*.mdb)};"
cStr = cStr & "DBQ=" & Server.MapPath("\path\to\database.mdb") & ";"
Conn.Open(cStr)
sql = "select username from UserTable where username = '" & LCase(username) & "'"
sql = sql & " and userpwd = '" & LCase(userpwd) & "'"
Set RS = Conn.Execute(sql)
If RS.BOF And RS.EOF Then
    Error_Msg = "Login Failed. Try Again."
    ShowLogin
Else
    Session("UserLoggedIn") = "true"
    Response.Redirect "protectedpage.asp"
End If
End Sub

We also need to take out the line of code that sets the Session variable equal to "". What this did was logout our user anytime they pulled up the login page. The code is:

Session("UserLoggedIn") = ""

And that's it. Your pages are now protected and multiple users can access them.

The Scripts in full

login.asp

<%
Response.Expires = -1000 'Makes the browser not cache this page
Response.Buffer = True 'Buffers the content so our Response.Redirect will work
Dim Error_Msg
login = Request.Form("login")
If login = "logout" Then
    Session("UserLoggedIn") = ""
    ShowLogin
Else
    If Session("UserLoggedIn") = "true" Then
        AlreadyLoggedIn
    Else 
        If login = "true" Then
            CheckLogin
        Else
            ShowLogin
        End If
    End If
End If
Sub ShowLogin
Response.Write(Error_Msg & "<br>")
%>
<form name=form1 action=login.asp method=post>
User Name : <input type=text name=username><br>
Password : <input type=password name=userpwd><br>
<input type=hidden name=login value=true>
<input type=submit value="Login">
</form>
>%
End Sub
Sub AlreadyLoggedIn
%>
You are already logged in.
Do you want to logout or login as a different user?
<form name=form2 action=login.asp method=post>
<input type=submit name=button1 value="Yes">
<input type=hidden name=login value="logout">
</form>
<%
End Sub
Sub CheckLogin
Dim Conn, cStr, sql, RS, username, userpwd
username = Request.Form("username")
userpwd = Request.Form("userpwd")
Set Conn = Server.CreateObject("ADODB.Connection")
cStr = "DRIVER={Microsoft Access Driver (*.mdb)};"
cStr = cStr & "DBQ=" & Server.MapPath("\path\to\database.mdb") & ";"
Conn.Open(cStr)
sql = "select username from UserTable where username = '" & LCase(username) & "'"
sql = sql & " and userpwd = '" & LCase(userpwd) & "'"
Set RS = Conn.Execute(sql)
If RS.BOF And RS.EOF Then
    Error_Msg = "Login Failed. Try Again."
    ShowLogin
Else
    Session("UserLoggedIn") = "true"
    Response.Redirect "protectedpage.asp"
End If
End Sub
%>

protectedpage.asp

<%
Response.Expires = -1000 'Makes the browser not cache this page
Response.Buffer = True 'Buffers the content so our Response.Redirect will work
If Session("UserLoggedIn") <> "true" Then
    Response.Redirect("login.asp")
End If
%>
This page is full of password protected content.  If you are reading this you entered <br>
the correct name and password.
When not abusing his workplace's blisteringly fast internet connection to play time wasting games and being a lazy so and so, Neil tries to be a Web Developer for the University where he studies Computing.

The access keys for this page are: ALT (Control on a Mac) plus:

evolt.org Evolt.org is an all-volunteer resource for web developers made up of a discussion list, a browser archive, and member-submitted articles. This article is the property of its author, please do not redistribute or use elsewhere without checking with the author.