Easy user Access control in ASP-2

Access | Control the use of Session variables
Although the session variable is easy to use and more secure than other methods, there are still some problems. First, the session variable works correctly only if the visitor's browser supports cookies. Although most browsers now support cookies, remember that visitors can refuse to use it (depending on the browser's security settings).
Second, especially in IIS4, when the browser requests multiple pages, the session variable may be lost halfway. In general, this vulnerability can be minimized by following three simple principles:
0 Use only one Global.asa file, placed in the root directory of the site. A nested application with multiple Global.asa may cause the session variable to use out of bounds.
0 confirm that the Iuse account or the group it belongs to has at least read access to the Global.asa file, and that IIS has anonymous access rights.
0 To make sure that you are using the same character case format on all pages. Netscape (and other browsers) for/thisfolder/thisfile.asp and/thisfolder/thisfile.asp These two links are treated as two different files in two different directories. So when you retrieve a cookie from a page, you may have an error due to the capitalization problem.
Save login information in the database
If you need to track a large number of visitors ' information, the only way to use the include file is to be difficult to manage. At this point, we can use the database. This technique is also useful for running visitors to join or online registrations, and to add them to the user list. There is no further discussion of this issue.
Using a database to process all the processes is very simple! When the user provides logon information, use the SQL SELECT command to look up the entered username in the database and retrieve the matching password. If the password you retrieve is the same as the password you entered, allow them to enter the next step:
strSQL = "Select Spassword from Users" _ & "WHERE sUserName =" & Request ("v1") & ""
Issues with joining login information
However, adding new users is a small problem. If you find that users do not exist in the database and decide to join them automatically using ASP, we must be aware of them. In other words, when a user fills out a new message, another user may be doing the same thing with the same user name, and the latter is fast, saving information in the database first, so that the former's join work cannot be completed.
There are 2 obvious ways to avoid this phenomenon. One way to do this is to automatically create a new record with a blank password that the user can modify later:
strSQL = "INSERT into Users (sUserName, Spassword)" _ & "VALUES (" & Request ("v1") & ", null"
A better approach would be to use a procedure to return a special value (such as a user name) if the new record was created successfully, or, if not, to return an error message. This allows the user to select a new user name. The following example uses a SQL Server stored procedure that returns a user name if the new record succeeds, and returns an empty string if the user name already exists:
CREATE PROCEDURE AddUser @s_user varchar (@s_pword varchar () as
IF EXISTS (SELECT * from Users WHERE susername = @s_user)
SELECT
ELSE
BEGIN
INSERT into Users (sUserName, Spassword)
VALUES (@s_user, @s_pword)
SELECT sUserName from Users WHERE susername = @s_user
End
This allows you to perform this procedure in ADO and check the return value to confirm whether or not to add success. If it fails, the user is notified to select a new user name. Here are some code that describes how to use the stored procedure above, and you can find the code from the file downloaded in this article.
The following data is collected from the form:
strUserName = "NewUser1"
strpassword = "Thepassword"
To define a database connection:
strconnect = "Driver={sql Server}"; Server= YourServer; ＂ _
& "Database= yourdatabase; Uid= yourusername; Pwd= YourPassword; "
To establish and open a database connection:
Set Ocon = Server.CreateObject ("Adodb.connection")
Ocon.open strconnect
Create Command object, set properties
Set ocmd = Server.CreateObject ("Adodb.command")
Ocmd.activeconnection = Ocon Our open connection
Ocmd.commandtype = 4 its a stored procedure
Ocmd.commandtext = "AddUser" The Procedure name
Provides the command object for the parameter execution, resulting in the result:
Set oRs = Ocmd.execute (lngrecsaffected, Array (Strusername,strpassword))
strresult = Trim (ors.fields (0)) ADO may add a spaces to the result
Display the result, if error, display "User exists warning":
If strresult = "" Then
Response.Write "User already Exists"
Else
Response.Write "Added new user:〈b〉" & Strresult & "〈/b〉"
End If
% 〉