Password Protecting Your Pages
Ever wanted to limit access to certain pages of your website? This tutorial explains how you can add password protection to your pages using ASP.
In this tutorial, we show you how you can protect some or all pages of your website using ASP, with a username and password. The system we are going to build is shown below:
To start off, we'll ask the user for their username and password using
login.html. Then we'll use
login.asp to read the allowed usernames and passwords from
users.txt using the
FileSystem object. If we cannot match the username and password entered by the user with an entry in
users.txt, we'll ask the user to enter their username and password again, otherwise we'll use a
Session to remember that the user has logged in and allow them to access the protected pages.
If you like, you can download a Zip file containing all of the files used in this tutorial.
The login form
First we'll create the HTML form to ask the user for their username and password. Open the form code in a new window then copy and paste the code to a file on your server. Save the file and call it
login.html. If you're new to forms, you might want to read the explanation of forms in Your first ASP script, as we won't explain the form code in this tutorial.
In our example, we'll create two users. The first has the username "elated" with the password "love your site", and the second has the username "matt" with the password "squirrel". We'll use the
"|" character to separate the username from the password and call the file
elated|love your site matt|squirrel
Processing the login form
login.html, sends the data it collects to
login.asp when the Login button is pressed. Open the
login.asp code in a new window, and we'll go through the code together.
<%@ Language=VBScript %> <% ' set checking on so that we have to dimension ' our variables before we can use them Option Explicit ' dimension our variables first dim fso, tso, line, line_array, c_username dim c_password, username, password, found
As usual, we write our script using VBScript, turn on
Option Explicit, and dimension the variables we're going to use within this script.
' What did the user enter? username = Request("username") password = Request("password")
We need to grab the fields that were passed in from the form. We do this using the
Request object. In our example, we've used the shortened form of this, but we could also have used
Request.Form("username") if we sent our form to the web server using the
POST method, or
Request.QueryString("username") if we'd sent our form to the web server using the
GET method. The shortened form is useful because you don't have to rewrite your code if you want to change the method that a form is using.
' are the username and password in our list ' of valid usernames and passwords? ' Create an instance of the FileSystem object Set fso = CreateObject("Scripting.FileSystemObject") ' Open a TextStream object Set tso = fso.OpenTextFile ("c:\private\users.txt")
We stored our user list in a text file called
users.txt, so now we create a
FileSystem object and a
TextStream object to access our user file. Note that you will need to change the location of the file in the last line above to match where the file is stored on your system. (It's a good idea to store it outside of the document root, so that your users cannot see it using a Web browser.)
found = false ' Search through the contents of the file do until (tso.AtEndOfStream or found) ' Read a line of the file line = tso.ReadLine ' Separate the line into ' username and password line_array = Split(line,"|") c_username = line_array(0) c_password = line_array(1)
Now we start searching
users.txt a line at a time to see if any of the lines match the username and password that our user entered on the form. We used the
"|" character to separate the username and password, so we use
Split to separate each line into username and password. We store the values we read from the text file in
"c_" stands for "current".
Split produces an array. You can think of an array as a chest of drawers. We can put one thing into each drawer, so the bottom drawer might contain socks and the next drawer up might contain shirts. We access the drawers by their position starting at 0, so to access the first element, we would use
line_array(0). The diagram below illustrates the array that we have just made using the commands above:
' Do the username and password match? if (username = c_username) and (password = c_password) then ' log the user in found = true Session("logged_in") = "true" end if loop
If the contents of our array match the username and password that the user typed on the form, then we know who they are, and we can show them the protected pages. We set a
Session object to say that we've logged them in, and set the
found flag, so that we can stop looking. A
Session object is available from all ASP pages throughout our website, so we can use the value of this to check whether the user is logged in whenever they request a page.
' Close the text stream tso.Close ' if we didn't manage to login the user, ' let them know if not found then %> <html> <head> <title>Login</title> </head> <body> <h1>Login<h1> <p>Sorry we could not find a match for you. Use your browser back button to try again.<p> </body> </html> <% else ' if we did log them in, then redirect them ' to the protected pages Response.Redirect ("/protected/default.asp") end if %>
By now, we've either checked all the lines of
users.txt and not found a match, or we've logged the user in, so we close the
TextSTream object and display a message to the user. If we didn't find a match, we ask them to try again. If we did find a match then we redirect them to the home page of the protected area.
Protecting our pages
We've shown how to build a login form and the script to process it. The final thing to do is make sure that a user is logged in before we show them a protected page. To do this, we convert our protected pages to ASP files by changing the extension to
.asp. (Windows might complain when you try to do this, but just ignore it!) The other thing we need to do is insert a single line at the top of each file we want to protect:
At the top of each protected page...
This line includes an ASP file, which we can use to check whether the user is logged in or not. Open the code in a new window and we'll go through it together.
<% ' is the user logged in? if Session("logged_in") <> "true" then ' if not then redirect the user to the login page Response.Redirect ("/login.html") end if %>
login.asp we set
Session("logged_in") = "true", so we can test the value of it to find out whether our user is logged in or not. If they're not logged in, we just redirect them to
An exercise for you
We have just built the bare bones of a password protection system using ASP. To make it more secure, we might want to allow users to logout again. Try writing a script to log the user out. (Hint: you will need to change the value of our
A slightly more advanced exercise would be to modify the scripts to allow
login.asp to redirect you back to the page you were trying to view, after you log in successfully. To do this, you should modify
protected.asp to pass the name of the script the user was trying to access to the login form:
Response.Redirect ("/login_form.asp?page=" &_ Request.ServerVariables("URL"))
You also need to rename
login_form.asp and set a hidden form field containing the URL of the page you were trying to access before you were redirected.
<input type="hidden" name="page" value="<%=Request("page")%>">
login.asp to redirect to
Request("page") if the user logs in successfully.
Responses to this article
There are no responses yet.
Post a response
Want to add a comment, or ask a question about this article? Post a response.
To post responses you need to be a member. Not a member yet? Signing up is free, easy and only takes a minute. Sign up now.