Authenticating user identities in ASP applications

Interactive Web applications require more security than sites that provide only static Web pages. Registration and password are the most common means of protecting sensitive information. Because the ASP does not directly provide a way to authenticate the user, the user must perform the logon process so that the application system can save and extract user-related information.
Overview of sample Sites
This article through a sample site aspsecurity description of the ASP application registration and password protection of the general implementation process. We keep the user information in a ACCESS97 database on the Web server, and the DSN name is called
Aspsecurity. The unique database table has the following fields: Signon (text, registered username), Password (text, password), Laston (text, user last accessed time), timedout
(Yes/No, whether the session was terminated by the system due to a timeout).

The system mainly includes the following several pages:

default.htm--redirects the browser to the Signon.asp page.

signon.asp--provides a login system interface.

signedon.asp--the page displayed after the system was successfully logged in.

register.asp--New User Registration page.

The default page default.htm is only used to redirect the browser to the signon.asp login page, which is implemented by the following META tag:

< META http-equiv= "REFRESH" content= "1; Url=signon.asp ">

The Signedon page is the only protected page for the entire site and must be authenticated for access.
Authenticating user identities in ASP applications (2)
Input person: ASP Publish time: 2005-7-30 19:57:17 (Browse 37 times)


Second, initialization and user input legality check
When an ASP application is started, IIS looks for a global.asa file. If the file exists, the execution of the Application_OnStart begins. Here you can initialize the application-level variables and constants. The following code initializes an array in Application_OnStart to track all users who log on to the system at any time:

Sub Application_OnStart
Application ("Users") = Array ()
End Sub

After the Application_OnStart is executed, the ASP engine creates a Session object and initializes the
SessionID, and then triggers the Session_OnStart event. Here you can initialize the session-level (and specific user-related) variables and constants:

Sub Session_OnStart
Session.timeout=1
' Database DSN
Session ("ConnectionString") = "aspsecurity"
Session ("connectiontimeout") = 15
' Read/write Way
Session ("Mode") = 3
End Sub

Considering that the user's browser may not support cookies or turn off the cookies feature, you must check the cookies support in the first ASP page and save the results in a session variable. In addition, when the user clicks the login button in the login page, you should also check the legality of user input, as shown in the following code, where aspsecurity.inc provides some common functions (such as Signuseron for authenticating user identities):

<%@ Language=vbscript%>
<% Option Explicit%>
<% Response.Buffer = True%>
<!--#INCLUDE file= "Aspsecurity.inc"-->
<%
Dim Asignon
Dim Apassword
Dim datavalidated
Datavalidated = False
' Check to see if the browser supports cookies
Session ("supportscookies") = (InStr (1, Request.ServerVariables
("Http_cookie"), "ASPSessionID", vbTextCompare) > 0)
If Request ("Action") = "Login" Then
Asignon = LCase (Trim (Request.Form ("Signon"))
Apassword = LCase (Trim (Request.Form ("Password"))
If Len (asignon) = 0 Then
Session ("MSG") = "Please enter the user name."
End If
If Len (apassword) = 0 Then
Session ("MSG") = "Please enter a password."
Else
Datavalidated=true
End If
If Datavalidated Then
If Signuseron (Asignon, Apassword) Then
' User identity confirmed, allow access to protected pages
Response.Redirect "Signedon.asp?id=" & Session ("ID")
End If
End If
ElseIf Request ("Action") = "Register" Then
Response.Redirect "Register.asp"
End If
%>


For the registration page, in addition to checking whether the user fully entered all the content, you should also check whether the password is the same two times, the user name and the database has logged conflicts. To implement the code, see the zip file attached to this article.

Because SessionID is different each time the user starts the browser to connect to the server, it cannot be used directly to associate the user with the information stored in the database, but SessionID can be used to temporarily identify the user information extracted from the database or file. For browsers that do not support cookies, you can create a unique ID in a different way, as the following getid uses a random function:

function GetID () Dim numbers
Dim letters
Dim I
Dim ID
Randomize
Numbers= "0123456789"
Letters = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
For I = 1 to 10
If I mod 2 <> 0 Then
id = ID & Mid (Letters, INT ((Rnd) + 1), 1)
Else
id = ID & Mid (Numbers, Int ((Rnd) + 1), 1)
End If
Next
GetID = ID
End Function