Home

Creating a login script with ASP

May 31, 2002 - 09:37 — Neil

In a similar vein to Jesteruk's login with PHP articles, this article will show you how to do the same thing but with ASP.

So, how do you start?

The first thing you need to do is create a simple login page, which can look something like this:
Note: This will create JUST a form with text boxes. You can pad it out yourself.

Creating the login.asp page

<% Sub ShowLogin %>
<form name=form1 action=login.asp method=post>
User Name : <input type=text name=username>
Password : <input type=password name=userpwd>
<input type=hidden name=login value=true>
<input type=submit value="Login">
</form>
<% End Sub %>

The second input box has a type=password, what this does is cause the text typed in to be hidden (like *******). Also to note is that you want the action of the form to be the same page. This way we do not need a second page just to handle the checking of the password. I will talk about the hidden form element next. You will also see why we placed the form inside a subroutine later.

Before we add the code to check to see if the user name and password are correct we need to add some code to the top of login.asp to check to see if the form has been submitted.

Response.Expires = -1000 'Makes the browser not cache this page
Response.Buffer = True 'Buffers the content so our Response.Redirect will work
Session("UserLoggedIn") = ""

If Request.Form("login") = "true" Then 
    CheckLogin 
Else
    ShowLogin 
End If

This code will go at the top of login.asp to see if the form was submitted. If it was, then we will check the login, if not then we will show the login form.

Checking for correct login details

Next we will add the code for the CheckLogin subroutine to check to see if the username and password entered are correct. At this time there is no database connectivity, as there is only one user.

Sub CheckLogin
If LCase(Request.Form("username")) = "guest" And LCase(Request.Form("userpwd")) = "guest" Then 
    Session("UserLoggedIn") = "true"
    Response.Redirect "protectedpage.asp"
Else
    Response.Write("Login Failed.<br><br>")
    ShowLogin
End If
End Sub

The above code will check to make sure they have entered the login correctly. By setting the Session variable "UserLoggedIn" equal to "" we are basically logging the user out.

The protected pages

The only thing left to do is write the code to put at the top of the protected page to check to see if the user is logged in. This will redirect the user to the login page if UserLogginIn is not set. 

Response.Expires = -1000 'Makes the browser not cache this page
Response.Buffer = True 'Buffers the content so our Response.Redirect will work

If Session("UserLoggedIn") <> "true" Then 
    Response.Redirect(&quotlogin.asp") 
End If

The Scripts in full

login.asp

<%
Response.Expires = -1000 'Makes the browser not cache this page
Response.Buffer = True 'Buffers the content so our Response.Redirect will work
Session("UserLoggedIn") = ""
If Request.Form("login") = "true" Then
    CheckLogin
Else
    ShowLogin
End If

Sub ShowLogin
%>

<form name=form1 action=login.asp method=post>
User Name : <input type=text name=username><br>
Password : <input type=password name=userpwd><br>
<input type=hidden name=login value=true>
<input type=submit value="Login">
</form>
>%
End Sub

Sub CheckLogin
If LCase(Request.Form("username")) = "guest" And LCase(Request.Form("userpwd")) = "guest" Then
    Session("UserLoggedIn&quot) = "true"
    Response.Redirect "protectedpage.asp"
Else
    Response.Write("Login Failed.<br><br>")
    ShowLogin
End If
End Sub
%>

protectedpage.asp

<%
Response.Expires = -1000 'Makes the browser not cache this page
Response.Buffer = True 'Buffers the content so our Response.Redirect will work

If Session("UserLoggedIn") <> "true" Then
    Response.Redirect("login.asp")
End If
%>

This page is full of password protected content.  If you are reading this you entered <br>
the correct name and password.

Comments

May 31, 2002 - 10:50 — sgd

One one thing I'd gripe about:

A better test to see if the form has been submitted is to use the Request.ServerVariables("REQUEST_METHOD") variable, which is set to "GET" or "POST" depending on how the request was submitted. That way you're ensured against someone populating the query string or trying to hack the request stream (well, it can be hacked, and to completely secure it you'd hafta do SSL and crap, but since that's whay beyond the scope of this article, we'll be happy with a Good Enoughtm solution =)
June 1, 2002 - 06:05 — Spyder

Good Enough

Good Enoughtm - I just had to laugh at that... maybe I'm in a weird mood :D
May 12, 2004 - 11:31 — max5121

COULDN'T GET THIS TO WORK...

I copied and pasted the Full scripts into the login.asp page and protectedpage.asp pages... uploaded to webserver ... didn't work... does anyone have working version of this script... looks good, if I could get it to work.. // PS:: I probably screwed something up somewhere...
December 19, 2005 - 23:22 — elbundi

login.asp -fix

>% 'place a less than tag before the End Sub End Sub
January 31, 2006 - 18:03 — pmoreau

asp login page

How can you use this code to create more than one username & password combination and take them to different login pages without using a database?
December 5, 2006 - 20:43 — tc3100

Multiple Users

How can you use this code with multiple username/passwords and a database???
December 19, 2006 - 18:05 — gbwisc23

For Clarification of the login.asp -fix

If you copy and paste the code from login.asp, you need to change line 20 from '>%' to '<%'.

Fixed:
------
Line 19:
Line 20: <%
Line 21: End Sub
December 19, 2006 - 18:12 — gbwisc23

Adding protectedpage.asp - fix

Line 5 in the code is not showing up correctly if one copies and pastes... it needs to read:

If Session("UserLoggedIn") <> "true" Then
February 16, 2008 - 16:08 — slg111875

Question

I got everything working. However, I can bypass my login page and just type in URL http://www.XXXXXX/protectedpage.asp and still get to the protected page. Am I missing a step here? Once someone learns the link to the protected page, they don't have to know the username and password.
May 27, 2008 - 10:03 — tasam21

ABOVE CODE IS NOT THAT HELPFUL TO USE.

The code above had solve my problem but still has some problem there. As I type http://www.XXX.com/protectedpage.asp directly in the address bar and it show up that page without asking username and password so i think that code is not so secure could please guide me to overcome this problem. Thank You!