ASP Webpage Access Control

In browser/server applications, if you are allowed to access a webpage using a browser using an anonymous identity, then further limiting the access to a specific webpage requires the customer to indicate his/her identity (for example, prompting for login ), verify the customer's identity in the initial part of the Web page. If the customer passes identity authentication, you can browse the specific content of the web page. Otherwise, the system prompts that access is restricted.

Generally, a browser/server application should have a home page with hyperlinks for accessing different webpages. In the Active Server Page application, we know that you can log on to the homepage once, save the logon success information to the session variable, and then access other pages of the application, you only need to check the session variable, and no login verification is required. The common practice is to check whether the customer has logged on at the beginning of each web page. If the user has not logged on, the user will go to the login page to complete the login. if the user has logged on, the webpage content will be displayed. Expand this check to further check whether different customers can access the webpage content. If they do not have the permission to access the webpage, a prompt is displayed. However, this authentication takes place only after you enter a specific webpage. for customers who do not have the right to access this webpage, there is a sense of a dead end. If you can give a prompt with no access permission when clicking a hyperlink and keep the hyperlink inaccessible, you can give the customer a better impression.

To do this, you must first restrict the customer from entering the name of the restricted webpage directly in the address bar to ensure that the customer enters from a public portal webpage (such as the homepage, then, you can determine whether a restricted webpage can be accessed based on the customer's identity on the public portal page of the webpage. The restriction is to set up a webpage access flag. If the customer enters from a public webpage and sets up a permit mark on the public webpage, check the mark at the beginning of each restricted webpage. If the mark is not allowed, this indicates that the customer attempted to enter the webpage name directly in the address bar, prompting that access is restricted, NO content is displayed or transferred to the login webpage.

Another task is to check the hyperlink of the restricted webpage on the public webpage. if the customer is allowed to access the restricted webpage, immediately clear the allowed flag after entering the restricted webpage; if not, a prompt is displayed when you click the hyperlink. The following is the source code.

The following is a restricted webpage named page1.asp.

<% @ Language = VBScript %>
<% If not SESSION ("fromdefapage page ")
Then // check the entry flag
Response. Write "does not enter from a public webpage. You cannot browse the content on this page. "
Response. End
Else
Session ("fromdefaultpage") = false
// Cancel allowed access
End if
%>
<HTML>
<Head>
<Meta name = "generator"
Content = "Microsoft Visual Studio 6.0">
</Head>
<Body>

<P> This is the normal content on this page. </P>

</Body>
</Html>

The following file is a public portal webpage named page. asp.

<% @ Language = VBScript %>

<% Dim Conn, RS, ACL
Set conn = server. Createobject ("ADODB. Connection ")
Connectionstring = "DSN = MSSQL; Description
= Microsoft SQL Server 7.0; server = wwwserver;
Uid = ddy; APP = vi6; wsid = wangpuquan; database = webapp"
Conn. connectiontimeout = 30
Conn. mode = 3
Conn. Open connectionstring, "ddy", "2 louddy"
Set rs = conn. Execute ("select ACL from
Userlist where username = 'u1 '")
If not Rs. EOF then
ACL = RS (0)
End if
Set rs = nothing
Set conn = nothing
Session ("fromdefaultpage") = true %>

<HTML>
<Head>
<Meta name = "generator"
Content = "Microsoft Visual Studio 6.0">
<Script language = JavaScript>
Function checkright ()
{
VaR curelement = event. srcelement
If ("A" = curelement. tagname)
{
VaR Ss = "<% = ACL %>"
VaR Re = new Regexp ("," + curelement. ID + ",", "I ")
If (ss. Search (re)> = 0)
{
Alert ("this page cannot be accessed due to insufficient permissions! ")
Return false
}
Else
{Return true}
}
}
</SCRIPT>
</Head>

<Body onclick = "Return checkright ()">
<P> This is a public portal page. When you click the document content area,
The onclick event of the document will check whether the click is a hyperlink,
If yes, it will further check whether its ID is in the list of forbidden access (, page1, page2, page3 ,)
In the list, if the prompt is restricted access, do not enter;
If not in the list? Too many tasks? Lt;/P>
<P> <a id = page1 href = page1.asp>
To restrict access to page1.asp, set the ID to page1,
Click this hyperlink to enter </a> </P>
<P> <a id = page5 href = page1.asp>
If you do not limit page1.asp to page0,
Click this hyperlink to go to </a> </P>

</Body>
</Html>
Page. asp description:
1. In order to save space, this article omitted the logon webpage. When querying access permissions, the user name U1 is used.

2. Structure of the user permission database table:

Field Name field type field description
Username char (10) User Name
Password char (10) password
ACL varchar (1800) forbidden access list
3. Save the list of Access prohibited IDs in the ACL field. In this example, the ACL value of U1 is ", page1, page2, page3 ,".
4. For ease of management, you can take the ID as the name of the webpage file that is forbidden to access. The ID marked by the hyperlink is the same as the referenced webpage file name. In this example, for the sake of convenience, two hyperlinks reference the same web page, but are assigned different ID values. page1 is in the forbidden access list, so it is not accessible. page0 is not in the forbidden access list.

In this example, the access control list is searched every time you go to the public portal page, at the cost of frequent database access. In fact, when you access this page for the first time, you can save the retrieved ACL value in the session variable. To access the page again before the session ends, you only need to access the session variable, in this case, the server requires a large amount of memory to store these variables. The method can be used according to the actual situation.