Microsoft KB Archive/825498

= How to create a password-protected Web page by using FrontPage 2003, Active Server Pages, and an Access database =

Article ID: 825498

Article Last Modified on 1/24/2007

-

APPLIES TO


 * Microsoft Office SharePoint Designer 2007
 * Microsoft Office FrontPage 2003

-





For a Microsoft FrontPage 2002 version of this article, see 321439.



For a Microsoft FrontPage 2000 version of this article, see 321503.





SUMMARY
This step-by-step article describes how to create a simple password-protected Web page solution by using FrontPage 2003, Active Server Pages (ASP), and a Microsoft Access database.

Important
 * The sample code in this article is not designed as a replacement for the FrontPage 2003 built-in security functionality. The samples are designed to provide a simple security mechanism only for users who are browsing to your Web site. As such, FrontPage 2003 security does not integrate with the user names and the passwords that are added to the Microsoft Access database.
 * The user names and passwords that are typed in are transmitted across the Internet in plain text. To help increase security, Microsoft recommends that you use a Web server that can use Secure Sockets Layer (SSL) encryption. For more information, contact your Web site administrator or your Internet Service Provider (ISP).

Use the ASP features in FrontPage 2003
Before you can use the ASP features in FrontPage 2003, you must have access to a Web server or a disk-based Web that supports ASP.

Create a new Web site in FrontPage 2003
Note The example information assumes that you name your Web site logon, and that you create it as a subweb off the root of your Web site. If you use a name other than logon, or create the Web site in an alternative location, you must modify the steps throughout this article accordingly.

To create a new Web site in FrontPage 2003, follow these steps:  Start FrontPage 2003. On the File menu, click New. In the task pane, click More Web site templates, and then click Empty Web Site. Under Options, type the location where you want to store the new Web site in the following format:

http:// /logon

Where  is the name of your ASP-enabled Web server. Click OK.</ol>

The new empty Web site that is named logon is opened in FrontPage 2003.

Create a database
Create a database to store user names and passwords by using a database program such as Microsoft Office Access 2003.

Note If you use a program other than Access 2003 to create the database, modify these steps accordingly.

To create a database, follow these steps:
 * 1) Start Access 2003.
 * 2) On the File menu, click New.
 * 3) In the task pane, click Blank database.
 * 4) Type logon.mdb for the file name, and then click Create.
 * 5) In the Objects pane, click Tables, and then click New.
 * 6) Click Design View, and then click OK.
 * 7) In the first row of the Field Name column, type UID.
 * 8) In the corresponding Data Type column, click Text, and then click the Primary Key button on the toolbar (appears as a key symbol).
 * 9) In the second row of the Field Name column, type PWD, and then click Text in the second row in the Data Type column.
 * 10) On the File menu, click Save.
 * 11) In the Table Name box, type tblUsers, and then click OK.
 * 12) On the View menu, click Datasheet View.
 * 13) In the UID column, type testuser.

In the PWD column, type password.
 * 1) On the File menu, click Close, and then quit Access 2003.

Note For security reasons, passwords are restricted to a mixture of uppercase letters, lowercase letters, and numbers.

Import the database
Import the user name and the password database that you created into FrontPage 2003. To do so, follow these steps:
 * 1) In FrontPage 2003 with your logon Web site open, click Import on the File menu.
 * 2) Click Add File, locate and then click the logon.mdb file that you created.

Click Open.
 * 1) Click Modify, type _private/logon.mdb in the File location within your web box, and then click OK.

Note There is an underscore character (_) in front of &quot;private&quot; in the path of the file.
 * 1) Click OK to import the database file.
 * 2) If you are prompted to create a database connection for this imported file, click No.

Create the ASP pages
You must create several files to work with this sample. First, create a home page for your Web site, a &quot;nonsecure&quot; page and a password-protected page for testing, and then the logon Web page and the logon include file.

Create the home page
This page serves as the default page for your site and includes links to the nonsecure page and the password-protected Web page that you create. To create a home page, follow these steps: <ol> In FrontPage 2003, clickFile, click New, and then click Blank page.</li> At the footer area of the document window, click Code to show code view.</li> Select and then remove all the HTML code in the Web page.</li>  Type or paste the following HTML code in the Web page. <% @language=&quot;vbscript&quot; %> Home Page Home Page You are logged on as: <% If Len(Session(&quot;UID&quot;)) = 0 Then Response.Write &quot;You are not logged on.&quot; Else Response.Write &quot;&quot; & Session(&quot;UID&quot;) & &quot;&quot; End If %> <ul> <a href=&quot;passwordprotect.asp&quot;>Password-Protected Page</a></li> <a href=&quot;nonsecure.asp&quot;>Nonsecure Page</a></li>

</ul> </li> Right-click the new_page_1.htm tab, and then click Save.

Save the page as default.asp in the root folder of your logon Web site.</li> On the File menu, click Close to close the default.asp Web page.</li></ol>

Create the nonsecure page
Create a typical ASP page that everyone can view. To create a nonsecure page, follow these steps: <ol> In FrontPage 2003, click File, click New, and then click Blank page.</li> At the footer area of the document window, click Code to show code view.</li> Select and then remove all the HTML code in the Web page.</li>  Type or paste the following HTML code in the Web page. <% @language=&quot;vbscript&quot; %> Nonsecure Page Nonsecure Page You are logged on as: <% If Len(Session(&quot;UID&quot;)) = 0 Then Response.Write &quot;You are not logged on.&quot; Else Response.Write &quot;&quot; & Session(&quot;UID&quot;) & &quot;&quot; End If %> <a href=&quot;default.asp&quot;>Back to default</a> </li> Right-click the new_page_1.htm tab, and then click Save.

Save the page as nonsecure.asp in the root folder of your logon Web site.</li> On the File menu, click Close to close the nonsecure.asp Web page.</li></ol>

Create the password-protected page
The page in this step is the same as the nonsecure Web page that you created previously, except that you must add the following line of code near the top of the page: When you add this line of code to an ASP Web page, that page becomes password-protected by the logon.inc file that you create. To create a password-protected Web page, follow these steps: <ol> In FrontPage 2003, click File, click New, and then click Blank page.</li> At the footer area of the document window, click Code to show code view.</li> <li>Select and then remove all the HTML code in the Web page.</li> <li> Type or paste the following HTML code in the Web page. <% @language=&quot;vbscript&quot; %>

Password-Protected Page Password-Protected Page You are logged on as: <% If Len(Session(&quot;UID&quot;)) = 0 Then Response.Write &quot;You are not logged on.&quot; Else Response.Write &quot;&quot; & Session(&quot;UID&quot;) & &quot;&quot; End If %> <a href=&quot;default.asp&quot;>Back to default</a> </li> <li>Right-click the new_page_1.htm tab, and then click Save.

Save the page as passwordprotect.asp in the root folder of your logon Web site.</li> <li>On the File menu, click Close to close the passwordprotect.asp Web page.</li></ol>

Create the logon page
Create a logon page that looks similar to a typical Windows logon dialog box. Users who try to access the password-protected Web page are sent to this page to type their user name and password. To create a logon page, follow these steps: <ol> <li>In FrontPage 2003, click File, click New, and then click Blank page.</li> <li>At the footer area of the document window, click Code to show code view.</li> <li>Select and then remove all the HTML code in the Web page.</li> <li> Type or paste the following HTML code in the Web page. <% @language=&quot;vbscript&quot; %>

<% ' Was this page posted to? If UCase(Request.ServerVariables(&quot;HTTP_METHOD&quot;)) = &quot;POST&quot; Then ' If so, check the username/password that was entered. If ComparePassword(Request(&quot;UID&quot;),Request(&quot;PWD&quot;)) Then ' If comparison was good, store the user name... Session(&quot;UID&quot;) = Request(&quot;UID&quot;) ' ...and redirect back to the original page. Response.Redirect Session(&quot;REFERRER&quot;) End If End If %> Logon Page body { font-family: arial, helvetica } table { background-color: #cccccc; font-size: 9pt; padding: 3px } td   { color: #000000; background-color: #cccccc; border-width: 0px } th   { color: #ffffff; background-color: #0000cc; border-width: 0px } <body bgcolor=&quot;#000000&quot; text=&quot;#ffffff&quot;> <h3 align=&quot;center&quot;>&#xa0; <div align=&quot;center&quot;> <form action=&quot;<%=LOGON_PAGE%>&quot; method=&quot;POST&quot;> </li> <li>Right-click the new_page_1.htm tab, and then click Save.

Save the page as logon.asp in the root folder of your logon Web site.</li> <li>On the File menu, click Close to close the logon.asp Web page.</li></ol>

Create the logon include file
The include file provides the user name and password functionality and is used by both the password-protected Web page and the logon Web page. To create the logon include file, follow these steps: <ol> <li>In FrontPage 2003, click File, click New, and then click Blank page.</li> <li>At the footer area of the document window, click Code to show code view.</li> <li>Select and then remove all the HTML code in the Web page.</li> <li> Type or paste the following HTML code in the Web page. <% ' Do not cache this page. Response.CacheControl = &quot;no-cache&quot;

' Define the name of the users table. Const USERS_TABLE = &quot;tblUsers&quot; ' Define the path to the logon page. Const LOGON_PAGE  = &quot;/logon/logon.asp&quot; ' Define the path to the logon database. Const MDB_URL     = &quot;/logon/_private/logon.mdb&quot;

' Check to see whether you have a current user name. If Len(Session(&quot;UID&quot;)) = 0 Then ' Are you currently on the logon page? If LCase(LOGON_PAGE) <> LCase(Request.ServerVariables(&quot;URL&quot;)) Then ' If not, set a session variable for the page that made the request... Session(&quot;REFERRER&quot;) = Request.ServerVariables(&quot;URL&quot;) ' ...and redirect to the logon page. Response.Redirect LOGON_PAGE End If End If

' This function checks for a username/password combination. Function ComparePassword(UID,PWD) ' Define your variables. Dim strSQL, objCN, objRS ' Set up your SQL string. strSQL = &quot;SELECT * FROM &quot; & USERS_TABLE & _ &quot; WHERE (UID='&quot; & ParseText(UID) & _     &quot;' AND PWD='&quot; & ParseText(PWD) & &quot;');&quot; ' Create a database connection object. Set objCN = Server.CreateObject(&quot;ADODB.Connection&quot;) ' Open the database connection object. objCN.Open &quot;driver={Microsoft Access Driver (*.mdb)}; dbq=&quot; & _ Server.MapPath(MDB_URL) & &quot;; uid=admin; pwd=&quot; ' Run the database query. Set objRS = objCN.Execute(strSQL) ' Set the status to true/false for the database lookup. ComparePassword = Not(objRS.EOF) ' Close your database objects. Set objRS = Nothing Set objCN = Nothing End Function

' This function restricts text to alpha-numeric data only. Function ParseText(TXT) Dim intPos, strText, intText For intPos = 1 TO Len(TXT) intText = Asc(Mid(TXT,intPos,1)) If (intText > 47 And intText < 58) Or _ (intText > 64 And intText < 91) Or _ (intText > 96 And intText < 123) Then strText = strText & Mid(TXT,intPos,1) End if   Next ParseText = strText End Function %> </li> <li>Right-click the new_page_1.htm tab, and then click Save.

Save the page as logon.inc in the _private folder of your logon Web site.</li> <li>On the File menu, click Close to close the logon.inc file.</li></ol>

Test the logon Web site
To do this, follow these steps:
 * 1) In FrontPage 2003, in the Folder List pane, right-click Default.asp, and then click Preview in Browser.

The Web browser loads the sample home page and shows that you are not logged on.
 * 1) Click the Nonsecure page link.

The page loads and shows that you are not logged on. Click the Back to default link to return to the default page.
 * 1) Click the Password-Protected page link.

The logon.asp page loads instead of the password-protected page.
 * 1) In the User Name box, type testuser, type password in the Password box, and then click LOGON.

The password-protected page appears and shows that you are logged on as testuser. Click the Back to default link to return to the default page. The home page loads and shows that you are logged on as testuser.
 * 1) Click the Nonsecure page link.

The page loads and shows that you are logged on as testuser.

Customize the logon Web site
You can customize the logon example Web site in the following ways: <ul> <li>Add user names and passwords: You can open the database. To do so, double-click the database in FrontPage 2003, and then add users to the tblUsers table.</li> <li> Password-protect other Web pages: To password-protect another Web page in your Web site, you must save the file with an ASP file name extension, for example,, and then add the following two lines to the very top of the file: <% @language=&quot;vbscript&quot; %> The first line specifies that you are using Microsoft Visual Basic Scripting Edition (VBScript) for your scripting language, and the second line includes the user name and the password functionality from the logon include file that you created earlier. </li></ul>

<div class="moreinformation_section">

MORE INFORMATION
User names and passwords stored in the database are not encrypted. Even using the Password Input Mask does not encrypt this data. For this reason and for other reasons, Access databases should not be used for production Web sites. For more information about how to help secure the HTTP communications between the client and server, click the following article numbers to view the articles in the Microsoft Knowledge Base:

299525 How to set up SSL by using IIS 5.0 and Certificate Server 2.0

299875 How to implement SSL in IIS

<div class="references_section">