Free Guides
Language Tutorials
ASP ( Active Server Pages )
Index
Login & Session Control
Checking the session presence in ASP
We can display a welcome message to a visitor
inside a member area based on his session status. If the member has
not logged in then we can ask him to login. You must have observed
in many sites and forums you will get a welcome message if you are
logged in and the same place will show login form or link to login
form if you are not logged in. How this is done ? We will learn
that.
If the member is logged in then userid of the member will be
available in session variable. So we will try to read the value of
the session variable and display a welcome message like this Welcome
smo
If session variable is not present then we will display a login window or show a link to login page like his
Userid
Passwor
We will be using one if condition in ASP to check
the session and display the welcome message if userid is present ,
else we will show the login form. Here is the code to do this
<form method=post action=loginck.asp>
<table border="0" cellspacing="0" cellpadding="0" align=center>
<tr><td>User Id </td><td><input type=text name=userid></tr>
<tr><td>Password</td><td><input type=password name=password></tr>
<tr><td colspan=2 align=center><input type=submit value=Login></td></tr>
</table>
<%
else
Response.Write " Welcome " & Session("userid") & " <a href=logout.asp>Click here to log out</a>"
End if
%>
Creating Login form and validation using ASP MSSQL
Try to develop a login page using ASP. Actually we
will be displaying one html login form to the visitor to enter their
userid and password and from ASP side code is not there but using
ASP we will check the session values to find out whether the member
is already logged in or this is a fresh login.
Read the detail on how to check session login status and display
login form.
The login page has very simple code and through this page we will
collect userid and password and then send the data by form post
method to another page where we will do the matching from our MSSQL
table. Here is the code for login page.
<form method=post action=loginck.asp>
<table border="0" cellspacing="0" cellpadding="0" align=center>
<tr><td>User Id </td><td><input type=text name=userid></tr>
<tr><td>Password</td><td><input type=password name=password></tr>
<tr><td colspan=2 align=center><input type=submit value=Login></td></tr>
<%
else
Response.Write " You are logged in as " & Session("userid") & " <a href=logout.asp>Click here to log out </a>"
End if
Once the userid and password is entered by the member in login form and submitted the value is collected at action page.
Dim userid,password
userid=Request("userid")
password=Request("password")
Now the userid and password are stored in the
variables. We have to take care of this data as other than
characters and numbers are not allowed in these two fields. We have
to validate these data before matching them with our database table.
This is also a security requirement to prevent injection attack. We
will use regular expression to check our user entered data. We will
use one if condition for validation and once the validation is ok
then only the code inside the if block will be executed. Here is the
code.
with RExp
.Pattern = "^[a-zA-Z0-9]{3,8}$"
.IgnoreCase = True
.Global = True
end with
If (RExp.test(userid) and RExp.test(password) ) then
The code after ( within ) the if then condition will be executed
once the regular expression validation is passed. In the else block
of the code we will keep the message to be displayed if the
validation fails. That part is not shown in the above code. You can
see that message in full code given at the end. Now let us work on
how to match the record in MSSQL table with the user entered data.
We have not displayed the MSSQL connection etc and here is the code
for matching record.
if rs.EOF Then
Response.Write "Sorry Incorrect Logint<br>"
Else
Response.Write "<br>Welcome " & rs("userid")
Session("userid")=rs("userid")
Response.Write "<br>Welcome " & Session("userid")
Response.Write "<br>Click here to go to <a href=mem/index.asp>member area</a>"
End if
The above code will match the data with table and
display the error message if matching fails. Otherwise if login
details are correct then a new session with userid is created. Next
we will read how to create member pages and other parts of login
script. Here is the complete code.
Dim conn,rs,rs1,SQL,RecsAffected
Set conn=Server.CreateObject("ADODB.Connection")
conn.Mode=adModeRead
conn.ConnectionString = aConnectionString
conn.Open
Set rs =Server.CreateObject("ADODB.Recordset")
Dim userid,password
userid=Request("userid")
password=Request("password")
dim RExp : set RExp = new RegExp
with RExp
.Pattern = "^[a-zA-Z0-9]{3,8}$"
.IgnoreCase = True
.Global = True
end with
If (RExp.test(userid) and RExp.test(password) ) then
rs.open "select userid from member where userid='" & userid & "' and password= '"& password &"' ", conn
if rs.EOF Then
Response.Write "Sorry Incorrect Logint<br>"
Else
Response.Write "<br>Welcome " & rs("userid")
Session("userid")=rs("userid")
Response.Write "<br>Welcome " & Session("userid")
Response.Write "<br>Click here to go to <a href=mem/index.asp>member area</a>"
End if
Else ' Regular Expression checking
Response.Write " Invalid Data "
End if ' Regular Expression checking
Set rs = Nothing
conn.Close
Set conn = Nothing
%>
Restricting access to member area in ASP
We can create a member only area in asp by using
sessions. Userid of the member is stored in session variable and
presence of this session variable is checked at the beginning of
each page inside the member area. If session with userid is
available then further script execution is allowed, otherwise the
script execution is stopped and a message asking the member to login
is displayed.
The session for every member is created at login page where a
session with userid of the member is created after successful login
of the member.
This member area pages links we can display once a member is
successfully logged in but members may bookmark the URL of member
area and may try to access the member area pages without logging in
so session checking is a must for all these restricted pages.
We have to keep this checking if session status at
the top of each page, here a better idea is to keep all these code
inside one file and include that file at the staring of each page of
member area. Like this ..
Now inside this check.asp file we will keep the code to check the
user session status. Here it is .
if (IsEmpty(Session("userid"))) then
Response.Write "Member area. Please <a href=''../login.asp''>login</a> to use this page "
Response.End
End if
%>
You can see in the above code if the
Session(“userid”) is not available then IsEmpty function will return
true and the code inside the if condition will be executed. The fist
line will display the message with a link to login page and the next
line Rsponse.End will stop further execution of the page.
This is a simple way to restrict access inside member only page for
logged in users only.
Updating password in login script using ASP MSSQL
We will add change password feature to our login
script. This page to update password is available only to
successfully logged in users or members so we will keep this page
inside our members only area.
Link to this change password page we will add to our top menu file.
This menu.asp file is kept inside the member area and as we
add different files to the member area we will be adding links
inside this menu.asp file. All the files to display this menu
has to include this menu.asp file. Like this
We will ask member to enter the new password twice and for this we
will display a form. In this form we will ask the user to enter new
password two times. This is a simple form and only html code is used
to display this. Here is the code to display the form.
<table border="0" cellspacing="0" cellpadding="0" align=center width=400>
<tr><td colspan2 align=center><b>Change Password</b></td></tr>
<tr><td>Password</td><td><input type=password name=password></tr>
<tr><td>Re-enter Password</td><td><input type=password name=password2></tr>
<tr><td colspan=2 align=center><input type=submit value=''Update Password''></td></tr>
</table>
Only characters and numbers are allowed inside password field.
Once the above form is submitted we will check the
entered password for two conditions. First it should match our
requirement of only number and characters of 3 to 8 char length.
Second both the entered passwords should be same. For our first
condition checking we will use regular expression and for second
condition it is simple string matching. Here we will use two
variables one for error flag and other for error message. Error flag
we will set to True if any error occurs and we will add the
corresponding message to error message variable. At the end if error
message flag is not set to true then we will update the table with
new password for the particular user id . Here is the complete code.
Dim conn,rs,SQL,RecsAffected
Set conn=Server.CreateObject("ADODB.Connection")
conn.Mode=adModeRead
conn.ConnectionString = aConnectionString
conn.Open
Set rs =Server.CreateObject("ADODB.Recordset")
Dim password,password2,error_flag,error_msg
error_flag="False" '' Setting error flag
error_msg="" '' Error message
password=Request("password")
password2=Request("password2")
dim RExp : set RExp = new RegExp
with RExp
.Pattern = "^[a-zA-Z0-9]{3,8}$"
.IgnoreCase = True
.Global = True
end with
If (not (RExp.test(password) and RExp.test(password2))) then
error_flag="True"
error_msg = "<br>Please enter valid data only "
End if
If (password<>password2 ) then
error_flag="True"
error_msg = error_msg + "<br>Passwords are not matching"
End if
if error_flag="False" then
rs.open "update member set password = ''"&password&"'' where userid=''" & session("userid") &"'' ", conn
Response.Write "<br><br>Successfully changed Password "
else
Response.Write error_msg
End if
Set rs = Nothing
conn.Close
Set conn = Nothing
%>