Control of access rights of ASP Web pages

Source: Internet
Author: User
Tags end generator log microsoft sql server return variable access visual studio
In browser/server applications, if the client is allowed to use the browser to access the Web page anonymously, then further restricting the customer's access to specific pages usually means that the customer is identified (for example, prompted to log in), verifies the customer's identity in the initial part of the page, and, if authenticated, browses to the Otherwise, prompt access is restricted.

A typical browser/server application should have a homepage with hyperlinks to different pages. In the active Server page application, we know that you can log in once when you go to the home page, save the login success information in the session variable, and then, when you enter the other pages of the application, simply test the session variable and no more login verification. The usual practice is to check whether the customer has logged in at the beginning of each page, if not logged in, to log on to the landing page, and to display the Web page if logged in. Expand this check to further check whether different customers can access the content of the Web page, if they do not have access, give hints. However, this entry to the specific Web page to verify the identity of the customer has no access to the page, there is a sense of a dead end. A better impression can be given to the customer if it is possible to give a hint of unauthorized access to a hyperlink when clicked, and keep the hyperlink from coming down.

To do this, first restrict the customer to enter the name of the restricted Web page directly in the address bar, ensure that the customer enters from a public portal page (such as the homepage), and then determine whether he can enter on the public page page of the link-accepted Web page based on the customer's identity. The limiting approach is to set up a Web page to access the logo. If the customer enters from the public Web page, set up a permit sign on the public Web page, check the flag at the beginning of each restricted page, and if the sign is not allowed, the customer attempts to enter the name of the page directly in the address bar, prompting access to be restricted, not displaying the content or moving on to

Another task is to check the hyperlinks on the restricted pages on the public Web page, and if the customer is allowed to enter, clear the Allow sign immediately after checking the entry mark on the Restricted Web page, and if not, click the hyperlink to give a prompt. The following is the source code.

The following file is a restricted page, named Page1.asp

<%@ language=vbscript% >
<% if not session ("Fromdefaultpage")
then//Check entry sign
Response.Write "is not accessible from a public Web page and cannot be browsed on this page. "
Response.End
Else
Session ("Fromdefaultpage") =false
Cancel Allow entry
End If
% >
< HTML >
< head >
< META name= "generator"
Content= "Microsoft Visual Studio 6.0" >
< BODY >

< P > This is the normal content of this page. </p >

</body >

The following file is a public access page, named page.asp

< <%@ Language=vbscript% >

<% Dim Conn,rs,acl
Set Conn=server.createobject ("ADODB. Connection ")
ConnectionString = "Dsn=mssql;description
=microsoft SQL Server 7.0; Server=wwwserver;
Uid=ddy; App=vi6; Wsid=wangpuquan;database=webapp "
Conn. ConnectionTimeout = 30
Conn. Mode = 3
Conn. Open Connectionstring, "Ddy", "2louddy"
Set Rs=conn. Execute ("Select ACL from
userlist where username= ' U1 ')
If not Rs. EOF Then
Acl=rs (0)
End If
Set rs=nothing
Set conn=nothing
Session ("Fromdefaultpage") =true% >

< HTML >
< head >
< META name= "generator"
Content= "Microsoft Visual Studio 6.0" >
< script Language=javascript >
function Checkright ()
{
var curelement=event.srcelement
if ("A" ==curelement.tagname)
{
var ss= "<% =ACL% >"
var re=new RegExp ("," +curelement.id+ ",", "I")
if (Ss.search (re) >=0)
{
Alert ("Cannot access this page because of insufficient permissions!")
return False
}
Else
{return true}
}
}
</script >

< body onclick= "return Checkright ()" >
< p > This is a public access page, and when you click on the document content area,
The onclick event of the document checks whether the hyperlink is clicked,
If it is, it will further check if its ID is in the Blocked list (, Page1,page2,page3,)
, if in the list, the prompt access is restricted, does not enter;
If not in the list? Queue hacking  guards? lt; /p >
< P >< a id=page1 href= page1.asp >
To limit page1.asp access, set the ID to Page1 here,
Click this hyperlink cannot enter </a ></p >
< P >< a id=page5 href= page1.asp >
If you do not limit page1.asp dream  Zan ╥d for PAGE0,
Click this hyperlink to enter < A ></p >

</body >
Description of Page.asp:
First, in order to save space, this article omitted the login Web page, query access rights using the name of the user named U1.

Second, the User Rights database table structure is as follows:

Field name segment Type field description
Username char (10) User name
Password char (10) password
ACL varchar (1800) Prohibit access to list
Third, the ACL field holds a list of blocked IDs, in this case the user U1 ACL value is ", Page1,page2,page3,".
Four, in order to facilitate management, you can take the ID as a prohibited access to the file name of the Web page, the hyperlink tag ID and the referenced Web page file name is the same. For simplicity in this example, two hyperlinks refer to the same Web page but assign different ID values, where Page1 is not accessible in the Forbidden access list and PAGE0 not in the Forbidden access list.

In this case, the access control list is searched every time that the public entry page is entered, at the cost of frequent access to the database. You can actually save the retrieved ACL value in a session variable the first time you access the page, and access the session variable only once before the end of the session, but when you have more users, the server needs more memory to hold these variables. You can decide which method to use depending on the actual situation.



Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.