Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Check if a user is logged in before serving pages

Options
  • 06-07-2012 9:17pm
    #1
    druidhill
    Registered Users Posts: 200 ✭✭


    Hi,

    I am trying to revisit working with ASP and databases (I went the admin route a long time ago).

    The scenario I want to explore is where every user has to be logged in (username and password) before they can access the webpage (this will be done in ASP), and if they are not logged in they will be redirected to the login page.

    I am looking for best practice as to how people achieve this in the real world, and the most efficent or "cleanest" way of doing this, in terms of reusability.

    I'm thinking of a function at the start of each page (e.g. IsLoggedIn), and and an if/else after that. Is this the way it's done these days?

    TIA


Comments

  • Options
    #2
    Freddio
    Registered Users Posts: 650 ✭✭✭Freddio


    You can do this using application and session variables along with a database.

    You can put the code that validates inside a separate asp file and include it at the top of each asp page


  • Options
    #3
    COYW
    Closed Accounts Posts: 2,930 ✭✭✭COYW


    If you need to use a database then session is the way to go as Freddio suggest. However, you could implement the security here, i.e. access to the application, in IIS and restrict access to an Active Directory group containing the users which should be able to access the application. You will also need to disable Anonymous access and enable Integrated Windows authentication in IIS for this authentication.

    This is the way I implement such security in .Net but on a quick browse I see that you can also do this using classic asp.


  • Options
    #4
    druidhill
    Registered Users Posts: 200 ✭✭druidhill


    Thanks for the replies. I would like the option to use this for a non-Intranet site without too much modification, so I don't think I will use the Windows authentication with IIS.

    So in a simple scenario I would have Main.asp that has an include statement to CheckLogin.asp (which sends the user to Logon.asp if they are not logged in).

    If I put it in an asp page and include it at the top of each page, should I do the redirect to the logon page if they are not logged in inside the included asp page (CheckLogin.asp) - this seems to make the most sense in terms of reusability?

    And should this be the very first asp file to be included (i.e. does the server stop processing the Main.asp page at this point and go directly to processing Logon.asp)?

    I'm trying to think about the best way to implement it before I go near creating the asp pages. Thanks again.


  • Options
    #5
    Genghiz Cohen
    Registered Users Posts: 7,182 ✭✭✭Genghiz Cohen


    I did something similar.
    But I made it up as I went along so I've no idea how good/bad it is. :p

    Pretty much, the login page takes a id and password and asks the database if it's valid. If so, the stored proc returns an access id (Admin, Moderator, User or Guest) and that is written to the cookies to expire in 24 hours.
    Every other page then inherits from a Master Page, And the Master page checks onLoad for a valid cookie. If not, I redirect to Login.
    Some pages add in a seperate check for access rights, so the UserControl page is only available to Admins.

    As I said, made it up to demonstrate the theory of access rights in a prototype.


Advertisement