Microsoft KB Archive/928706

From BetaArchive Wiki

Article ID: 928706

Article Last Modified on 4/17/2007


APPLIES TO

  • Microsoft Expression Web


SUMMARY

This step-by-step article describes how to create a simple Web page solution that provides password protection by using Microsoft Expression Web, Active Server Pages (ASP), and a Microsoft Access database.

  • The sample code in this article is not designed to replace the Expression Web built-in security functionality. The samples are designed to provide a simple security mechanism only for users who are browsing to your Web site. Therefore, Expression Web security does not integrate with the user names and the passwords that are added to the Access database.
  • The user names and passwords that are typed in are transmitted across the Internet in plain text. To help increase security, we recommend that you use a Web server that can use Secure Sockets Layer (SSL) encryption. For more information, contact your Web site administrator or your Internet service provider (ISP).


Introduction

This article describes how to create a Web page that is protected by password by using Expression Web, ASP, and an Access database.

MORE INFORMATION

Use the ASP features in Expression Web

Before you use the ASP features in Expression Web, you must have access to a Web server or a disk-based Web that supports ASP.

Create a new Web site in Expression Web

Note The example information assumes that you name a Web site logon and that the logon site is created as a sub Web under the root of your Web site. If you use a name other than logon, or create a Web site in an alternative location, you must modify the steps throughout this article accordingly.

To create a new Web site in Expression Web, follow these steps:

  1. Start Expression Web.
  2. On the File menu, click New, and then click Web site.
  3. In the New dialog box, click Empty Web Site in the Web Site tab.
  4. In the Specify the location of the new Web site box, type the location where you want to store the new Web site in the following format:


http://servername/logon

  1. Click OK.

The new empty Web site that is named logon is opened in Expression Web.

Create a database

You can create database to store user names and passwords by using a database program such as Microsoft Office Access 2003.

Note If you use a database program other than Access 2003 to create the database, modify these steps accordingly.

To create a database, follow these steps:

  1. Start Access 2003.
  2. On the File menu, click New.
  3. In the task pane, click Blank database.
  4. Type logon.mdb for the file name, and then click Create.
  5. In the Objects pane, click Tables, and then click New.
  6. Click Design View, and then click OK.
  7. In the first row of the Field Name column, type UID.
  8. In the corresponding Data Type column, click Text, and then click the Primary Key button on the toolbar.


Note The Primary Key button appears as a key symbol.

  1. In the second row of the Field Name column, type PWD, and then click Text in the second row of the Data Type column.
  2. On the File menu, click Save.
  3. In the Table Name box, type tblUsers, and then click OK.
  4. On the View menu, click Datasheet View.
  5. In the UID column, type testuser.

In the PWD column, type password.

  1. On the File menu, click Close, and then exit Access 2003.

Note For security reasons, passwords are restricted to a mixture of uppercase letters, lowercase letters, and numbers.

Import the database

Import the database that you created to store user names and passwords into Expression Web. To do this, follow these steps:

  1. In Expression Web, open your logon Web site, click Import on the File menu, and then click File.
  2. Click Add File, locate and then click the logon.mdb file that you created, and then click Open.
  3. Click Modify, type _private/logon.mdb in the File location within your web text box, and then click OK.


Note There is an underscore character (_) in front of "private" in the path of the file.

  1. Click OK to import the database file.
  2. If you are prompted to create a database connection for this imported file, click No.

Create the ASP pages

You must create several files to work with this sample. First, create a home page for your Web site, a "nonsecure" page and a page that is protected for testing, the logon Web page, and the logon include file.

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure. However, they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.

Create the home page

This page serves as the default page for your site. It includes links to the nonsecure page and to the protected Web page that you create. To create a home page, follow these steps:

  1. In Expression Web, click New on the File menu, and then click Page.
  2. In the New dialog box, click HTML in the Page tab, and then click OK.
  3. In the footer area of the document window, click Code to show code view.
  4. Select and then remove all the HTML code in the Web page.

  5. Type or paste the following HTML code in the Web page.

    <% @language="vbscript" %>
<html>
<head><title>Home Page</title></head>
<body>
<h3>Home Page</h3>
<p>You are logged on as: 
<%
  If Len(Session("UID")) = 0 Then
    Response.Write "<b>You are not logged on.</b>"
  Else
    Response.Write "<b>" & Session("UID") & "</b>"
  End If
%>
</p>
<ul>
 
<li><a href="passwordprotect.asp">Password-Protected Page</a></li>
<li><a href="nonsecure.asp">Nonsecure Page</a></li>

</ul>
</body>
</html>
  6. Save the page as default.asp in the root folder of your logon Web site.
  7. On the File menu, click Close to close the default.asp Web page.

Create the nonsecure page

Create a typical ASP page that everyone can view. To create a nonsecure page, follow these steps:

  1. In Expression Web, click New on the File menu, and then click Page.
  2. In the New dialog box, click HTML in the Page tab, and then click OK.
  3. In the footer area of the document window, click Code to show code view.
  4. Select and then remove all the HTML code in the Web page.

  5. Type or paste the following HTML code in the Web page.

    <% @language="vbscript" %>
<html>
<head><title>Nonsecure Page</title></head>
<body>
<h3>Nonsecure Page</h3>
<p>You are logged on as: 
<%
  If Len(Session("UID")) = 0 Then
    Response.Write "<b>You are not logged on.</b>"
  Else
    Response.Write "<b>" & Session("UID") & "</b>"
  End If
%>
</p>
<p><a href="default.asp">Back to default</a></p>
</body>
</html>
  6. Save the page as nonsecure.asp in the root folder of your logon Web site.
  7. On the File menu, click Close to close the nonsecure.asp Web page.

Create the protected page

The page in this step is the same as the nonsecure Web page that you created previously, except that you must add the following code near the top of code view: 

<!--#include virtual="/logon/_private/logon.inc"-->

When you add this line of code to an ASP page, that page becomes protected by password by the logon.inc file that you create. To create a Web page that is protected by password, follow these steps:

  1. In Expression Web, click New on the File menu, and then click Page.
  2. In the New dialog box, click HTML in the Page tab, and then click OK.
  3. In the footer area of the document window, click Code to show code view.
  4. Select and then remove all the HTML code in the Web page.

  5. Type or paste the following HTML code in the Web page.

    <% @language="vbscript" %>
<!--#include virtual="/logon/_private/logon.inc"-->
<html>
<head><title>Password-Protected Page</title></head>
<body>
<h3>Password-Protected Page</h3>
<p>You are logged on as: 
<%
  If Len(Session("UID")) = 0 Then
    Response.Write "<b>You are not logged on.</b>"
  Else
    Response.Write "<b>" & Session("UID") & "</b>"
  End If
%>
</p>
<p><a href="default.asp">Back to default</a>
</body>
</html>
  6. Save the page as passwordprotect.asp in the root folder of your logon Web site.
  7. On the File menu, click Close to close the passwordprotect.asp Web page.

Create the logon page

Create a logon page resembles a typical Windows logon dialog box. Users who try to access the protected Web page are sent to this page to type their user names and passwords. To create a logon page, follow these steps:

  1. In Expression Web, click New on the File menu, and then click Page.
  2. In the New dialog box, click HTML in the Page tab, and then click OK.
  3. In the footer area of the document window, click Code to show code view.
  4. Select and then remove all the HTML code in the Web page.

  5. Type or paste the following HTML code in the Web page.

    <% @language="vbscript" %>
<!--#include virtual="/logon/_private/logon.inc"-->
<%
  ' Was this page posted to?
  If UCase(Request.ServerVariables("HTTP_METHOD")) = "POST" Then
    ' If so, check the username/password that was entered.
    If ComparePassword(Request("UID"),Request("PWD")) Then
      ' If comparison was good, store the user name...
      Session("UID") = Request("UID")
      ' ...and redirect back to the original page.
      Response.Redirect Session("REFERRER")
    End If
  End If
%>
<html>
<head><title>Logon Page</title>
<style>
body  { font-family: arial, helvetica }
table { background-color: #cccccc; font-size: 9pt; padding: 3px }
td    { color: #000000; background-color: #cccccc; border-width: 0px }
th    { color: #ffffff; background-color: #0000cc; border-width: 0px }
</style>
</head>
<body bgcolor="#000000" text="#ffffff">
<h3 align="center"> </h3>
<div align="center"><center>
<form action="<%=LOGON_PAGE%>" method="POST">
<table border="2" cellpadding="2" cellspacing="2">
  <tr>
    <th colspan="4" align="left">Enter User Name and Password</th>
  </tr>
  <tr>
    <td> </td>
    <td colspan="2" align="left">Please type your user name and password.</td>
    <td> </td>
  </tr>
  <tr>
    <td> </td>
    <td align="left">Site</td>
    <td align="left"><%=Request.ServerVariables("SERVER_NAME")%>  </td>
    <td> </td>
  </tr>
  <tr>
    <td> </td>
    <td align="left">User Name</td>
    <td align="left"><input name="UID" type="text" size="20"></td>
    <td> </td>
  </tr>
  <tr>
    <td> </td>
    <td align="left">Password</td>
    <td align="left"><input name="PWD" type="password" size="20"></td>
    <td> </td>
  </tr>
  <tr>
    <td> </td>
    <td colspan="2" align="center"><input type="submit" value="LOGON"></td>
    <td> </td>
  </tr>
</table>
</form>
</center></div>
</body>
</html>
  6. Save the page as logon.asp in the root folder of your logon Web site.
  7. On the File menu, click Close to close the logon.asp Web page.

Create the logon include file

The include file provides the user name and password functionality. It can be used by both the protected Web page and the logon Web page. To create the logon include file, follow these steps:

  1. In Expression Web Designer, click New on the File menu, and then click Page.
  2. In the New dialog box, click HTML in the Page tab, and then click OK.
  3. In the footer area of the document window, click Code to show code view.
  4. Select and then remove all the HTML code in the Web page.

  5. Type or paste the following HTML code in the Web page.

    <%
  ' Do not cache this page.
  Response.CacheControl = "no-cache"

  ' Define the name of the users table.
  Const USERS_TABLE  = "tblUsers"
  ' Define the path to the logon page.
  Const LOGON_PAGE   = "/logon/logon.asp"
  ' Define the path to the logon database.
  Const MDB_URL      = "/logon/_private/logon.mdb"

  ' Check to see whether you have a current user name.
  If Len(Session("UID")) = 0 Then
    ' Are you currently on the logon page?
    If LCase(LOGON_PAGE) <> LCase(Request.ServerVariables("URL")) Then
      ' If not, set a session variable for the page that made the request...
      Session("REFERRER") = Request.ServerVariables("URL")
      ' ...and redirect to the logon page.
      Response.Redirect LOGON_PAGE
    End If
  End If

  ' This function checks for a username/password combination.
  Function ComparePassword(UID,PWD)
    ' Define your variables.
    Dim strSQL, objCN, objRS
    ' Set up your SQL string.
    strSQL = "SELECT * FROM " & USERS_TABLE & _
      " WHERE (UID='" & ParseText(UID) & _
      "' AND PWD='" & ParseText(PWD) & "');"
    ' Create a database connection object.
    Set objCN = Server.CreateObject("ADODB.Connection")
    ' Open the database connection object.
    objCN.Open "driver={Microsoft Access Driver (*.mdb)}; dbq=" & _
      Server.MapPath(MDB_URL) & "; uid=admin; pwd="
    ' Run the database query.
    Set objRS = objCN.Execute(strSQL)
    ' Set the status to true/false for the database lookup.
    ComparePassword = Not(objRS.EOF)
    ' Close your database objects.
    Set objRS = Nothing
    Set objCN = Nothing
  End Function

  ' This function restricts text to alpha-numeric data only.
  Function ParseText(TXT)
    Dim intPos, strText, intText
    For intPos = 1 TO Len(TXT)
      intText = Asc(Mid(TXT,intPos,1))
      If (intText > 47 And intText < 58) Or _
         (intText > 64 And intText < 91) Or _
         (intText > 96 And intText < 123) Then
          strText = strText & Mid(TXT,intPos,1)
      End if
    Next
    ParseText = strText
  End Function
%>
  6. Save the page as logon.inc in the _private folder of your logon Web site.
  7. On the File menu, click Close to close the logon.inc Web page.

Test the logon Web site

To do this, follow these steps:

  1. In Expression Web, right-click Default.asp in the Folder List pane, and then click Preview in Browser.


The Web browser loads the sample home page and shows that you are not logged on.

  1. Click the Nonsecure page link.


The page loads and shows that you are not logged on. Click the Back to default link to return to the default page.

  1. Click the Password-Protected page link.


The logon.asp page loads instead of the protected page.

  1. In the User Name box, type testuser, type password in the Password box, and then click LOGON.


The protected page appears and shows that you are logged on as testuser. Click the Back to default link to return to the default page. The home page loads and shows that you are logged on as testuser.

  1. Click the Nonsecure page link.


The page loads and shows that you are logged on as testuser.

Customize the logon Web site

You can customize the logon example Web site in the following ways:

  • Add user names and passwords:
    You can open the database in Expression Web, and then add users to the tblUsers table.

  • Create other Web pages that are protected by password:
    To create another Web page that is protected by password in your Web site, you must save the file by using an .asp file name extension, such as Mypage.asp, and then add the following two lines to the very top of code view:

    <% @language="vbscript" %>
<!--#include virtual="/logon/_private/logon.inc"-->

    The first line specifies that you are using Microsoft Visual Basic Scripting Edition (VBScript) for your scripting language. The second line includes the user name and the password functionality from the logon include file that you created earlier.


REFERENCES

For more information about how to create a Web page that is protected by password by using FrontPage 2003, Active Server Pages, and an Access database, click the following article number to view the article in the Microsoft Knowledge Base:

825498 How to create a password-protected Web page by using FrontPage 2003, Active Server Pages, and an Access database



For more information about how to help secure the HTTP communications between the client and server, click the following article numbers to view the articles in the Microsoft Knowledge Base:

299525 How to set up SSL by using IIS 5.0 and Certificate Server 2.0


299875 How to implement SSL in IIS



For more information about how to integrate Active Server Pages (ASP) with databases, click the following article numbers to view the articles in the Microsoft Knowledge Base:

299987 How to use database and ASP sessions to implement ASP security


300382 How to create a database connection from an ASP page in IIS


318287 What you need to use Active Server Pages (ASP) in FrontPage 2002


Keywords: kbhowto kbexpertiseinter KB928706



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/928706&oldid=384029
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki