Password Protecting Your Pages

Ever wanted to limit access to certain pages of your website? This tutorial explains how you can add password protection to your pages using ASP.

In this tutorial, we show you how you can protect some or all pages of your website using ASP, with a username and password. The system we are going to build is shown below:

System overview
System overview

To start off, we'll ask the user for their username and password using login.html. Then we'll use login.asp to read the allowed usernames and passwords from users.txt using the FileSystem object. If we cannot match the username and password entered by the user with an entry in users.txt, we'll ask the user to enter their username and password again, otherwise we'll use a Session to remember that the user has logged in and allow them to access the protected pages.

If you like, you can download a Zip file containing all of the files used in this tutorial.

The login form

First we'll create the HTML form to ask the user for their username and password. Open the form code in a new window then copy and paste the code to a file on your server. Save the file and call it login.html. If you're new to forms, you might want to read the explanation of forms in Your first ASP script, as we won't explain the form code in this tutorial.

Creating users

In our example, we'll create two users. The first has the username "elated" with the password "love your site", and the second has the username "matt" with the password "squirrel". We'll use the "|" character to separate the username from the password and call the file users.txt:


elated|love your site

Processing the login form

The form, login.html, sends the data it collects to login.asp when the Login button is pressed. Open the login.asp code in a new window, and we'll go through the code together.


<%@ Language=VBScript %>
' set checking on so that we have to dimension 
' our variables before we can use them
Option Explicit

' dimension our variables first
dim fso, tso, line, line_array, c_username
dim  c_password, username, password, found

As usual, we write our script using VBScript, turn on Option Explicit, and dimension the variables we're going to use within this script.


' What did the user enter?
username = Request("username")
password = Request("password")

We need to grab the fields that were passed in from the form. We do this using the Request object. In our example, we've used the shortened form of this, but we could also have used Request.Form("username") if we sent our form to the web server using the POST method, or Request.QueryString("username") if we'd sent our form to the web server using the GET method. The shortened form is useful because you don't have to rewrite your code if you want to change the method that a form is using.


' are the username and password in our list 
' of valid usernames and passwords?

' Create an instance of the FileSystem object
Set fso = 

' Open a TextStream object
Set tso = 
fso.OpenTextFile ("c:\private\users.txt")

We stored our user list in a text file called users.txt, so now we create a FileSystem object and a TextStream object to access our user file. Note that you will need to change the location of the file in the last line above to match where the file is stored on your system. (It's a good idea to store it outside of the document root, so that your users cannot see it using a Web browser.)


found = false

' Search through the contents of the file
do until (tso.AtEndOfStream or found)
  ' Read a line of the file
  line = tso.ReadLine

  ' Separate the line into 
  ' username and password
  line_array = Split(line,"|")
  c_username = line_array(0)
  c_password = line_array(1)

Now we start searching users.txt a line at a time to see if any of the lines match the username and password that our user entered on the form. We used the "|" character to separate the username and password, so we use Split to separate each line into username and password. We store the values we read from the text file in c_username and c_password, where "c_" stands for "current".

Split produces an array. You can think of an array as a chest of drawers. We can put one thing into each drawer, so the bottom drawer might contain socks and the next drawer up might contain shirts. We access the drawers by their position starting at 0, so to access the first element, we would use line_array(0). The diagram below illustrates the array that we have just made using the commands above:

Array containing the first username and password
Array containing the first username and password


  ' Do the username and password match?
  if (username = c_username) and 
  (password = c_password) then
    ' log the user in
    found = true
    Session("logged_in") = "true"
  end if

If the contents of our array match the username and password that the user typed on the form, then we know who they are, and we can show them the protected pages. We set a Session object to say that we've logged them in, and set the found flag, so that we can stop looking. A Session object is available from all ASP pages throughout our website, so we can use the value of this to check whether the user is logged in whenever they request a page.


' Close the text stream

' if we didn't manage to login the user,
' let them know

if not found then




<p>Sorry we could not find a match for you. 
Use your browser back button to try again.<p>


  ' if we did log them in, then redirect them
  ' to the protected pages
  Response.Redirect ("/protected/default.asp")
end if

By now, we've either checked all the lines of users.txt and not found a match, or we've logged the user in, so we close the TextSTream object and display a message to the user. If we didn't find a match, we ask them to try again. If we did find a match then we redirect them to the home page of the protected area.

Protecting our pages

We've shown how to build a login form and the script to process it. The final thing to do is make sure that a user is logged in before we show them a protected page. To do this, we convert our protected pages to ASP files by changing the extension to .asp. (Windows might complain when you try to do this, but just ignore it!) The other thing we need to do is insert a single line at the top of each file we want to protect:

At the top of each protected page...

<!--#include virtual="include/protected.asp"-->

This line includes an ASP file, which we can use to check whether the user is logged in or not. Open the code in a new window and we'll go through it together.


' is the user logged in?
if Session("logged_in") <> "true" then
  ' if not then redirect the user to the login page
  Response.Redirect ("/login.html")
end if

In login.asp we set Session("logged_in") = "true", so we can test the value of it to find out whether our user is logged in or not. If they're not logged in, we just redirect them to login.html.

An exercise for you

We have just built the bare bones of a password protection system using ASP. To make it more secure, we might want to allow users to logout again. Try writing a script to log the user out. (Hint: you will need to change the value of our Session object.)

A slightly more advanced exercise would be to modify the scripts to allow login.asp to redirect you back to the page you were trying to view, after you log in successfully. To do this, you should modify protected.asp to pass the name of the script the user was trying to access to the login form:


  Response.Redirect ("/login_form.asp?page=" &_

You also need to rename login.html as login_form.asp and set a hidden form field containing the URL of the page you were trying to access before you were redirected.


<input type="hidden" name="page" 

Finally modify login.asp to redirect to Request("page") if the user logs in successfully.

Follow Elated

Related articles

Responses to this article

There are no responses yet.

Post a response

Want to add a comment, or ask a question about this article? Post a response.

To post responses you need to be a member. Not a member yet? Signing up is free, easy and only takes a minute. Sign up now.

Top of Page