Login page to your website using ASP
Author: Sendhil Arunagiri
This article shows how to build a simple login page for your site using ASP. Visitors have to enter their username and password to gain access to the site. If they do not have one, they can register themselves to obtain the login details. At any point of time, the visitor can change his/her password. All of the login details are stored in a Access database with just one table named Login.
Firstname - Text
First let us see the login page (Login.htm) which has 2 textboxes - one for username and other for password and 2 buttons. The following is the code for the Login.htm page.
Next we will see what happens when the user hits the login button after entering the details. All the processing is done in ProcessLogin.asp page.The code is as follows:
<%@ Language=VBScript %> <%Response.Buffer=true%> <HTML><HEAD> <META NAME="GENERATOR" Content="Microsoft Visual Studio 6.0"> </HEAD> <BODY> <% Dim conn,rs,strsql set conn = server.CreateObject("ADODB.Connection") set rs = server.CreateObject("ADODB.Recordset") 'DSN less connection conn.Provider = "Microsoft.Jet.OLEDB.4.0" conn.ConnectionString = "Data Source=" & Server.MapPath("login.mdb") conn.open strsql = "Select Username, Password From Login where Username = '" & _ Request.Form("txtusername") & "' and Password = '" & _ Request.Form("txtpassword") & "'" set rs = conn.Execute (strsql) If (not rs.BOF) and (not rs.EOF) then Response.Cookies("Username") = rs.Fields("Username") Response.Redirect "https://www.yourwebsite.com/yourentrypage.html" else Response.Redirect "https://www.yourwebsite.com/access-denied-page.html" end if 'close the recordset rs.close set rs = nothing 'close the connection conn.close set conn = nothing </script> </BODY></HTML>
This page checks to see if the login details are present in the database. The first line <%@ Language=VBScript %> tells that the default scripting language for this page is VBScript. I used <%Response.Buffer=true%> not to cache the page. Next the connection and recordset objects are initiated. I have used DSN less connection to access the login.mdb database. Ofcourse, you can have a DSN connection by setting up a System DSN in the ODBC Services found in the control panel.
Next using a SQL Select statement, I pick up the login details from the login page using the Request method. If the recordset is found, I place the username in a cookie (I explain later why I have used cookies) and redirect the visitor to enter the website, else show an error. That's it. Now the user has entered the site or shown an error message.
New User Registration
On the loginpage, we had a button called Newuser, which when clicked takes the visitor to Register.htm to register themselves to obtain login details. We will see the code for this page, which is a simple HTML form.
In this page, the new visitor enters his firstname,lastname, a username and a password and hits Submit to get login details. If a visitor has already has login details and wants to change the password, they simply enter again all the details in this page and enter the new password and hit submit. Once submitted, the process is carried out in Register.asp which inserts his/her details in the database. The following is the code for the register.asp page
<%@ Language=VBScript %> <HTML><HEAD> <META NAME="GENERATOR" Content="Microsoft Visual Studio 6.0"> </HEAD> <BODY> <% Dim sSQL,conn,rs Set conn = Server.CreateObject("ADODB.Connection") set rs = server.CreateObject("ADODB.Recordset") 'DSN less connection conn.Provider = "Microsoft.Jet.OLEDB.4.0" conn.ConnectionString = "Data Source=" & Server.MapPath("login.mdb") conn.open strsql = "Select firstname,lastname from login" set rs = conn.Execute (strsql) if (rs.BOF)and (rs.EOF) then sSQL = "Insert into admin (Firstname,lastname,username,password) Values" & _ "('"& Ucase(Request("firstname")) & "', '"& Request("lastname") & "', '"& Request("userid") & "', '" & Request("password") & "')" conn.Execute sSQL,adCmdText else SQL = "Delete * from login where username= '" & Request.Form("userid") & "'" conn.execute(SQL) end if sSQL = "Insert into login (Firstname,lastname,username,password) Values" & _ "('"& Ucase(Request("firstname")) & "', '"& Request("lastname") & "', '"& Request("userid") & "', '" & Request("password") & "')" conn.Execute sSQL,adCmdText 'close the recordset rs.close set rs = nothing 'close the connection conn.close set conn = nothing %> <h2>Your login details have been saved to the database<h2> <A href="login.asp">[Click here to go to login page]</A> </BODY> </HTML>
This page Register.asp performs two things:
Firstly, I select visitor's first and last name. If the recordset is empty, I insert all the details into the database assuming that the visitor is new.
Second, If a recordset is found (implicitly meaning that the visitor has come to this page to change his/her password) I delete all the entries for this particular visitor using his username and then re-enter his details again. Now during this second INSERT, all details about this visitor remains the same except he has given himself a new password.
After this, the visitor is taken to the login page to login or can be sent directly to the web site.
Remember, previously I had placed the username inside a cookie, the reason is,any visitor can bypass the login page and type in the URL of the page where he wants to go. By using cookies, I have forced the user to login and then only view the contents of the web site.
This is done as follows:
<%if Request.Cookies("Username") <> "" then Response.Redirect ("send them to view the web site") session("submitted")="false" else 'send them back to login page Response.Redirect "Login.htm" Response.End end if%>
You can save the above code in a page something like Check.asp and have this as a server side include on the top of all the pages of your website which you wish to protect. It will be something like this:
Now you have seen that how you can protect your web site, using a login page. Using this, anyone can access your site. If you do not want everyone to access this site, then you may remove totally the New User registration feature. And then you can take control of issuing login details to selected visitors by manually entering the details into the database.
Mail a question to the author!!
As part of the IDevResource commitment to Open Publishing, all of our authors are available to answer all of your trickiest questions at Author Central. For information about the authors, or to mail a question, visit them at Author Central.
Contribute to IDR:
To contribute an article to IDR, a click here.