[thelist] ASP code for secure login and redirect.

Norman Beresford n.beresford at anansi.co.uk
Tue Jan 8 03:49:13 CST 2002 

Hi Tom

This is quite a straight forward matter, so I'll run through it with you.

First thing we need to do is create our login page.  All it will be is a
form with a username and password input:

<form action="gateway.asp" method="post">
Username : <input type="text" name="username"><br>
Password : <input type="password" name="password"><br>
<input type="submit" value="Enter Site" name="submit">
</form>



The important thing with this page is that we're using the post method.
This means that we will be accessing the values of our two input boxes
through the request.form collection.

Next up comes out ASP page.  The first thing we want to do is collect the
form information:

<%
username = request.form("username")
password = request.form("password")
%>

Next we want to write a SQL statement.  What we want to do is pull out any
records where the username field in the database matches the username and
password that have been submitted via the form.  Because we want to ignore
case we're going to store the username and password in our db in uppercase.
So here's the SQL:

<%
searchSQL = _
"SELECT ourTable.homeURL FROM ourTable WHERE ourTable.username = '" &
UCase(username) & "' AND ourTable.Password = '" & UCase(password) & "';"
%>

Now we want to create a recordset, containing the results of our SQL
statement.  So first we call a recordset into being:

<%
ourRecordSet = server.createObject("ADODB.Recordset")
%>

Next we want to actually open the recordset and populate it with the results
of our SQL query.  We're going to assume that you've got a DSN called
"ourDSN", your hosting provider should have given you atleast 1 DSN.  If not
ask them.  A faster way to connect is to use a DSNLess connection, but thats
another email ;):

<%
ourRecordSet.Open searchSQL, "ourDSN" ,,,
%>

The first thing we want to do is check to see if there are any records in
our recordset.  If there aren't then we know that there isn't a match to
that username/password combo and we can redirect them to a login fail page
(alternatively we could only look for the username in the SQL statement, and
then check the password seperatly which would allow us to redirect to a bad
password page).

The way we'll check to see if it's an empty recordset is by looking to see
if the current record is both the begining and end of the recordset.

<%
If ourRecordSet.BOF and ourRecordset.EOF Then
ourRecordSet.Close
Set ourRecordSet = nothing
redirectURL = "badLogin.html"
%>

If it's not (ie if a record has been returned) then we grab the appropriate
homeURL:

<%
Else
redirectURL = ourRecordSet("homeURL ")
ourRecordSet.Close
Set ourRecordSet = nothing
End If
%>

and send our visitor off to either the login fail page or their appropriate
home page:

<%
response.redirect redirectURL
%>

HTH

Norman


Here's the full ASP including comments:

<%
'get the form information
username = request.form("username")
password = request.form("password")

'create SQL statement
searchSQL = _
"SELECT ourTable.homeURL FROM ourTable WHERE ourTable.username = '" &
UCase(username) & "' AND ourTable.Password = '" & UCase(password) & "';"

'create recordset and populate it
ourRecordSet = server.createObject("ADODB.Recordset")
ourRecordSet.Open searchSQL, "ourDSN" ,,,

'check for results.  And set appropriate redirect URL for the results
If ourRecordSet.BOF and ourRecordset.EOF Then
	ourRecordSet.Close
	Set ourRecordSet = nothing
	redirectURL = "badLogin.html"
Else
	redirectURL = ourRecordSet("homeURL ")
	ourRecordSet.Close
	Set ourRecordSet = nothing
End If

'redirect the visitor
response.redirect redirectURL
%>

More information about the thelist mailing list