Posts Tagged ‘authorisation’

A simple permissions system in ASP

Wednesday, December 29th, 2004 | Programming, Tech

Building an admin log in system is pretty simple for s small site. You don’t need a username so a password is acceptable for log in and you can writee your password into the code. However because it is an admin section it needs to be fairly secure – no having the password available for any old joe to find in the source code.

The solution – a simple server side script. The password will be in the code but because it is server side is will never reach the end user and so they cannot get hold of it.

For this you will need three pages. A main page, a log in and page and log out page.

index.asp
login.asp
logout.asp

Because we need it to be fairly secure I am going to use a session cookie for the password. Let’s start with the main page.

<%
If Session("adminpassword") <> "dog" Then
Response.Redirect ("login.asp")
End If
%>

<html>
<head>
<title>Admin Homepage</title>
</head>

<body>
<p>Welcome to the admin secction.</p>
</body>
</html>

For this I have chosen the pasword “dog.” If this is not present in a session cookie called adminpassword, the user will be redirected to login.aso. Lets look at that now.

<html>
<head>
<title>Admin Log In</title>
</head>
<p>Please enter the admin password:</p>
<form action="login.asp" method="post" name="login_form" id="login_form">
<input name="password" type="password" id="password" size="40">
<input type="submit" name="Submit" value="Log In">
</form>
</body>
</html>

The first thing I have done is to add a form called “login_form” to allow the user to log in. In the form I have placed a text field called “password” and a submit button so they can type in the password and click submit to log in. This sends the user and the form variable, “password” to login.asp (the same page but reloaded). Now we need to add some server side scripting to the top of the game above the <html> tag.

<%
' checks to see if the password has been submitted
If Request.Form ("password") <> "" Then
' it has so writes in the session cookie
Session ("adminpassword") = Request.Form("password")
' if the user's password is correct they should now be able
' to gain access to the main page
' if they entered an incorrect password they will be
' redirected back here. Because the form variable
' is not sent when they are redirected back here
' they will not be redirected back to index.asp
Response.Redirect ("index.asp")
%>

If the password is incorrect, eg, they entered a password that is different from “dog” eg they entered “cat” it will still be saved in the session variable and the user will still be redirected to index.asp, but because the password is not “dog” they will be redirected back here again.

The fact that the incorrect password is saved in the session cookie allows us to give the user some more information when they are redirected back to login.asp because index.asp won’t give them access.

<%
' if the user is on login.asp but still has a password
' in the session cookie, they must have entered
' and incorrect password
If Session ("adminpassword") <> "" Then
%>
<p>You entered an incorrect password.</p>
<%
End If
%>

You can then insert the script that we placed at the top of index.asp to all the pages you want protecting. To save yourself having to change the script on every protected page when you want to change the password, you could also save the script, by itself, in a separate file and use file include to all the pages you want protecting.

<!--#include file="passwordcheck.asp" -->

You can then just update the script in passwordcheck.asp and all the protected pages would now use the new password.

Finally we need to create a log out page for the user to logout, to stop anyone else getting in after the user is done. This maybe not be needed if you are on a home pc which nobody else has access to but you might want to build one anyway. The log out page is amazingly simple.

<%
Session.Abandon ()
Response.Redirect ("index.asp")
%>

This should log the user out. If the user has not been logged out for some reason they will know because they will gain access to index.asp when they are redirected to it. If the user has been logged out successfully, index.asp will redirect them to login.asp and so they will know they have been logged out.

Now just o make it easier on you I will include the full source code including links, html and asp code, ready for you to copy and paste into your text editor and save as the appropriate files.

index.asp

<%
If Session("adminpassword") <> "dog" Then
Response.Redirect ("login.asp")
End If
%>

<html>
<head>
<title>Admin Homepage</title>
</head>

<body>
<p>Welcome to the admin secction.</p>
<p><a href="logout.asp">Click here to log out.</a></p>
</body>
</html>

login.asp

<%
' checks to see if the password has been submitted
If Request.Form ("password") <> "" Then
' it has so writes in the session cookie
Session ("adminpassword") = Request.Form("password")
' if the user's password is correct they should now be able
' to gain access to the main page
' if they entered an incorrect password they will be
' redirected back here. Because the form variable
' is not sent when they are redirected back here
' they will not be redirected back to index.asp
Response.Redirect ("index.asp")
%>

<html>
<head>
<title>Admin Log In</title>
</head>
<p>Please enter the admin password:</p>
<form action="login.asp" method="post" name="login_form" id="login_form">
<input name="password" type="password" id="password" size="40">
<input type="submit" name="Submit" value="Log In">
</form>
</body>
</html>

logout.asp

<%
Session.Abandon ()
Response.Redirect ("index.asp")
%>