Microsoft KB Archive/301464

= How To Use Simple ASP Code to Password Protect Your ASP Pages =

Article ID: 301464

Article Last Modified on 6/11/2007

-

APPLIES TO


 * Microsoft Active Server Pages 3.0

-



This article was previously published under Q301464



IN THIS TASK
SUMMARY
 * Create the Application
 * Test the Application
 * Other Considerations
 * Troubleshooting

REFERENCES



SUMMARY
This article demonstrates how to write simple Active Server Pages (ASP) code to restrict access with a logon page. The methods in this article are simplistic. For greater functionality or for stronger security, see the &quot;References&quot; section at the end of this article.

In this example, you will create the following two pages:
 * MyPage.asp: This page is protected and cannot be browsed to without the correct user name and password.
 * Logon.asp: This page provides a form in which users type their credentials. The form then verifies the user's name and password. If the name and password are correct, it writes a cookie to the client, which becomes the &quot;key&quot; for accessing other ASP pages.

back to the top

Create the Application
Use Notepad to create these ASP pages. To start Notepad, from the Windows Start menu, point to Programs, point to Accessories, and then click Notepad. Save each of these documents to the root Web of your local Web server (which is typically C:\InetPub\Wwwroot\). If you change the location of the documents, you must also modify the script in these files accordingly.

Logon.asp
 In Notepad, click New on the File menu.  Highlight the following code, right-click the code, and then click Copy from the shortcut menu. In Notepad, click Paste on the Edit menu to paste the following code into Notepad: Logon Form <% Username=&quot;Administrator&quot; Password=&quot;Admin&quot; Validated = &quot;OK&quot; if Strcomp(Request.Form(&quot;User&quot;),Username,1)=0 AND Request.Form(&quot;password&quot;) = Password then 'Set the validation cookie and redirect the user to the original page. Response.Cookies(&quot;ValidUser&quot;) = Validated 'Check where the users are coming from within the application. If (Request.QueryString(&quot;from&quot;)<>&quot;&quot;) then Response.Redirect Request.QueryString(&quot;from&quot;) else 'If the first page that the user accessed is the Logon page, 'direct them to the default page. Response.Redirect &quot;MyPage.asp&quot; End if   Else ' Only present the failure message if the user typed in something. If Request.Form(&quot;User&quot;) <> &quot;&quot; then Response.Write &quot; Authorization Failed. &quot; & &quot; &quot; & _ &quot;Please try again. &#xa0; &quot; End if End if %>   method=&quot;post&quot;> Logon Page for MyPage.asp Username:  Password:    </li> Save this page as Logon.asp in the C:\InetPub\Wwwroot\ folder.</li></ol>

MyPage.asp
MyPage.asp is the page that you want to protect. You can use any page with an .asp file extension. <ol> In Notepad, click New on the File menu.</li>  Highlight the following code, right-click the code, and then click Copy from the shortcut menu. In Notepad, click Paste on the Edit menu to paste the following code into Notepad: <% Validated = &quot;OK&quot; if Request.Cookies(&quot;ValidUser&quot;) <> Validated then 'Construct the URL for the current page. dim s   s = &quot;http://&quot; s = s & Request.ServerVariables(&quot;HTTP_HOST&quot;) s = s & Request.ServerVariables(&quot;URL&quot;) if Request.QueryString.Count > 0 THEN s = s & &quot;?&quot; & Request.QueryString end if   'Redirect unauthorized users to the logon page. Response.Redirect &quot;Logon.asp?from=&quot; &Server.URLEncode(s) End if %> My Protected Page <p align=&quot;center&quot;>This is my secret information You cannot see it unless you are properly logged on! </li> Save this page as MyPage.asp in the C:\InetPut\Wwwroot\ folder.</li></ol>

back to the top

Test the Application
<ol> Open your Web browser. If you are using Microsoft Internet Explorer, from the Windows Start menu, point to Programs, and then click Internet Explorer.</li> Type the following address in the Address bar, and then press ENTER:

http://localhost/MyPage.asp

Notice that you are redirected to Logon.asp.</li> Type the user name and password information that is contained in ASP code (Username - Administrator, Password - Admin) in the Logon.asp file, and then click Logon. This should allow you to see the MyPage.asp page.</li> Type an incorrect user name or password to confirm that you cannot log on and thus cannot browse to MyPage.asp</li></ol>

back to the top

Other Considerations
<ul>  To protect other ASP pages, add the following code at the top of the ASP page before any other code: <% Validated = &quot;OK&quot; if Request.Cookies(&quot;ValidUser&quot;) <> Validated then 'Construct the URL for the current page. dim s   s = &quot;http://&quot; s = s & Request.ServerVariables(&quot;HTTP_HOST&quot;) s = s & Request.ServerVariables(&quot;URL&quot;) if Request.QueryString.Count > 0 THEN s = s & &quot;?&quot; & Request.QueryString end if   'Redirect unauthorized users to the logon page. Response.Redirect &quot;Logon.asp?from=&quot; &Server.URLEncode(s) End if %> </li> To log on and be redirected to the protected page that you request, you must point your hyperlinks to the actual page and not the Logon.asp page. In this example, ensure that your hyperlink points to MyPage.asp. If you are not logged on, the code that is included in that page redirects you to Logon.asp automatically.</li>  If you do want your site's visitors to log on each time they visit, you can save the ValidUser cookie on their computer so that this information is available the next time they visit. The preceding code causes the cookie to expire as soon as your session times out or as soon as you close your browser window. To set an expiration period for the cookie, change the following code in Logon.asp from Response.Cookies(&quot;ValidUser&quot;) = Validated to: Response.Cookies(&quot;ValidUser&quot;) = Validated Response.Cookies (&quot;ValidUser&quot;).Expires = DATE + 1 To specify the expiration period, change &quot;1&quot; to however many days you prefer. For example, the following code causes the cookie to expire on your computer after one year: Response.Cookies (&quot;ValidUser&quot;).Expires = DATE + 365 If you set an expiration date, the cookie is saved on the end user's computer so that the user can bypass the logon page in the future. However, if the user browses to the site from another computer, the cookie is saved on that computer, and someone else can potentially read and copy this information. </li></ul>

back to the top

Pitfalls
<ul> An ASP logon page is useful for many applications, but it does not offer the highest level of security. Generally, NTFS is the highest level of security. NTFS requires that users type a user name and password that Microsoft Windows recognizes. NTFS security can be used to set permissions on the files and folders on the hard disk.

In addition, ASP security rides on top of Microsoft Internet Information Server (IIS) security. If IIS is not set up securely, and you add ASP security functions, you do not prevent sophisticated users from obtaining access to your site.

For more information about IIS and ASP security, see the &quot;References&quot; section.</li> This preceding code allows for only one set of user credentials. The following Microsoft Knowledge Base article demonstrates how to use an ASP logon page in which many user names are saved in a database:

299987 How To Use Database and ASP Sessions to Implement ASP Security

</li> If you set an expiration date for the cookie, it is saved on the computer that is used to browse to your page. If someone browses your page from a public computer, such as from a computer at a coffee shop, the cookie is saved on that computer and someone else may read and copy this information. If you do not set an expiration date, the cookie is not saved to the computer's hard disk (it is only stored in memory) and is deleted from the computer's memory as soon as the browser is closed.</li></ul>

back to the top

<div class="references_section">

Other &quot;How To&quot; Microsoft Knowledge Base Articles
299987 How To Use Database and ASP Sessions to Implement ASP Security

299970 How to use NTFS permissions to protect a Web Page running on IIS 4.0 or 5.0

Primary Microsoft Security References
Microsoft Security

http://www.microsoft.com/security/

TechNet Web Site Security

http://www.microsoft.com/technet/Security/default.mspx

If the preceding TechNet link fails, browse to the TechNet home page at:

http://technet.microsoft.com/default.aspx

In the left pane, point to Security, and then click Web Site.

General Security References
White Paper: Implementing a Secure Site with ASP

http://msdn2.microsoft.com/en-us/library/ms995337.aspx

164882 Practical Recommendations for Securing Internet-Connected Windows NT Systems

282060 Resources for Securing Internet Information Services

271071 Minimum NTFS Permissions Required for IIS 5.0 to Work

174811 Authentication and Security White Paper for Internet Developers

229694 How to Use the IIS Security &quot;What If&quot; Tool

Specialized Security References
239120 Create a Secure FTP Directory that Uses Password Authentication

216705 How to Set Permissions on a FrontPage Web on IIS

280383 IIS Security Recommendations When You Use a UNC Share and Username and Password Credentials

176378 How To SQL Server with Integrated Security, IIS on Same Machine

260985 XIMS: Minimum NTFS Permissions Required to Use CDONTS

257685 Proxy Server 2.0 Security Checklist

165340 Change Permissions Needed on Index Server System Files

235874 Windows NT File System (NTFS) Permissions Required for Proxy Server 2.0

back to the top

Keywords: kbaspobj kbcodesnippet kbhowto kbhowtomaster kbscript kbsecurity kbserver kbsysadmin kbwebserver KB301464

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.