This article demonstrates how to write simple Active Server Pages (ASP) code to restrict access with a logon page. The methods in this article are simplistic. For greater functionality or for stronger security, see the "References" section at the end of this article.

In this example, you will create the following two pages:

• MyPage.asp: This page is protected and cannot be browsed to without the correct user name and password.
• Logon.asp: This page provides a form in which users type their credentials. The form then verifies the user's name and password. If the name and password are correct, it writes a cookie to the client, which becomes the "key" for accessing other ASP pages.

Create the Application

Use Notepad to create these ASP pages. To start Notepad, from the Windows Start menu, point to Programs, point to Accessories, and then click Notepad. Save each of these documents to the root Web of your local Web server (which is typically C:\InetPub\Wwwroot\). If you change the location of the documents, you must also modify the script in these files accordingly.

Logon.asp

1. In Notepad, click New on the File menu.
2. Highlight the following code, right-click the code, and then click Copy from the shortcut menu. In Notepad, click Paste on the Edit menu to paste the following code into Notepad:

   <html>
   <head>
   <title>Logon Form</title>
   <%
   Username="Administrator"
   Password="Admin"
   Validated = "OK"
   if Strcomp(Request.Form("User"),Username,1)=0 AND Request.Form("password") = Password then
   'Set the validation cookie and redirect the user to the original page.
       Response.Cookies("ValidUser") = Validated
       'Check where the users are coming from within the application.
       If (Request.QueryString("from")<>"") then
   	Response.Redirect Request.QueryString("from")
       else
   	'If the first page that the user accessed is the Logon page,
           'direct them to the default page.
             Response.Redirect "MyPage.asp"
       End if    
   Else
   ' Only present the failure message if the user typed in something.
       If Request.Form("User") <> "" then
           Response.Write "<h3>Authorization Failed.</h3>" & "<br>" & _
           "Please try again.<br>&#xa0;<br>"
       End if
   End if
   %>
   </head>
   <body bgcolor="#FFFFFF">
   <FORM ACTION=<%Response.Write "Logon.asp?"&Request.QueryString%> method="post">
   <h3>Logon Page for MyPage.asp</h3>
   <p>	
   Username: 
   <INPUT TYPE="text" NAME="User" VALUE='' size="20"></INPUT>
   Password: 
   <INPUT TYPE="password" NAME="password" VALUE='' size="20"></INPUT>
   <INPUT TYPE="submit" VALUE="Logon"></INPUT>
   </FORM>
   </body>
   </html>
   					

3. Save this page as Logon.asp in the C:\InetPub\Wwwroot\ folder.

MyPage.asp

MyPage.asp is the page that you want to protect. You can use any page with an .asp file extension.

1. In Notepad, click New on the File menu.
2. Highlight the following code, right-click the code, and then click Copy from the shortcut menu. In Notepad, click Paste on the Edit menu to paste the following code into Notepad:

   <%
   Validated = "OK"
   if Request.Cookies("ValidUser") <> Validated then
   'Construct the URL for the current page.
       dim s
       s = "http:/"
       s = s & Request.ServerVariables("HTTP_HOST")
       s = s & Request.ServerVariables("URL")
       if Request.QueryString.Count > 0 THEN
   	s = s & "?" & Request.QueryString 
       end if
       'Redirect unauthorized users to the logon page.
       Response.Redirect "Logon.asp?from=" &Server.URLEncode(s)
   End if
   %>
   <html>
   <head>
   <title>My Protected Page</title>
   </head>
   <body>
   <p align="center">This is my secret information<br>
   You cannot see it unless you<br>
   are properly logged on!</p>
   </body>
   </html>
   					

3. Save this page as MyPage.asp in the C:\InetPut\Wwwroot\ folder.

Test the Application

1. Open your Web browser. If you are using Microsoft Internet Explorer, from the Windows Start menu, point to Programs, and then click Internet Explorer.
2. Type the following address in the Address bar, and then press ENTER:
   http://localhost/MyPage.asp
   Notice that you are redirected to Logon.asp.
3. Type the user name and password information that is contained in ASP code (Username - Administrator, Password - Admin) in the Logon.asp file, and then click Logon. This should allow you to see the MyPage.asp page.
4. Type an incorrect user name or password to confirm that you cannot log on and thus cannot browse to MyPage.asp

Other Considerations

• To protect other ASP pages, add the following code at the top of the ASP page before any other code:

  <%
  Validated = "OK"
  if Request.Cookies("ValidUser") <> Validated then
  'Construct the URL for the current page.
      dim s
      s = "http:/"
      s = s & Request.ServerVariables("HTTP_HOST")
      s = s & Request.ServerVariables("URL")
      if Request.QueryString.Count > 0 THEN
  	s = s & "?" & Request.QueryString
      end if
      'Redirect unauthorized users to the logon page.
      Response.Redirect "Logon.asp?from=" &Server.URLEncode(s)
  End if
  %>
  					

• To log on and be redirected to the protected page that you request, you must point your hyperlinks to the actual page and not the Logon.asp page. In this example, ensure that your hyperlink points to MyPage.asp. If you are not logged on, the code that is included in that page redirects you to Logon.asp automatically.
• If you do want your site's visitors to log on each time they visit, you can save the ValidUser cookie on their computer so that this information is available the next time they visit. The preceding code causes the cookie to expire as soon as your session times out or as soon as you close your browser window. To set an expiration period for the cookie, change the following code in Logon.asp from

          Response.Cookies("ValidUser") = Validated
  						

  to:

          Response.Cookies("ValidUser") = Validated
          Response.Cookies ("ValidUser").Expires = DATE + 1
  						

  To specify the expiration period, change "1" to however many days you prefer. For example, the following code causes the cookie to expire on your computer after one year:

          Response.Cookies ("ValidUser").Expires = DATE + 365
  						

  If you set an expiration date, the cookie is saved on the end user's computer so that the user can bypass the logon page in the future. However, if the user browses to the site from another computer, the cookie is saved on that computer, and someone else can potentially read and copy this information.

Pitfalls

• An ASP logon page is useful for many applications, but it does not offer the highest level of security. Generally, NTFS is the highest level of security. NTFS requires that users type a user name and password that Microsoft Windows recognizes. NTFS security can be used to set permissions on the files and folders on the hard disk.
  
  In addition, ASP security rides on top of Microsoft Internet Information Server (IIS) security. If IIS is not set up securely, and you add ASP security functions, you do not prevent sophisticated users from obtaining access to your site.
  
  For more information about IIS and ASP security, see the "References" section.
• This preceding code allows for only one set of user credentials. The following Microsoft Knowledge Base article demonstrates how to use an ASP logon page in which many user names are saved in a database:
  299987  (http://kbalertz.com/Feedback.aspx?kbNumber=299987/EN-US/ ) How To Use Database and ASP Sessions to Implement ASP Security
• If you set an expiration date for the cookie, it is saved on the computer that is used to browse to your page. If someone browses your page from a public computer, such as from a computer at a coffee shop, the cookie is saved on that computer and someone else may read and copy this information. If you do not set an expiration date, the cookie is not saved to the computer's hard disk (it is only stored in memory) and is deleted from the computer's memory as soon as the browser is closed.

Other "How To" Microsoft Knowledge Base Articles

Primary Microsoft Security References

If the preceding TechNet link fails, browse to the TechNet home page at: In the left pane, point to Security, and then click Web Site.

General Security References

Specialized Security References