How to keep user logged in for session with ASP pages

Hello,

I am in the final stages of creating my webpage. I have a login page that takes the user to their "Account Page". From there, they can "Edit User Info" and then return to the "Account Page".

Currently, the user needs to login to get to the "Account Page", then they click the "Edit" button and have to login again to "Edit User Info". Once they edit their info, they have to login again to get back to the "Account Page".

How do I code my pages so that once the user logs in, they are allowed to navigate the site without having to login each time they try to access a secured page?

Also, how do I allow them to log out if they are done?

I have been reading about Session variables and the global.asa page but am confused right now.

Any thoughts are much welcomed.

Thanks - Jerry

re: How to keep user logged in for session with ASP pages

When you log your user in, create some session variables that you check in code, I usually record their ID number (so I can log transactions against them) and their name (so I can display it to them on screen (Like Logout(Gaz))) nand finally their userlevel (for system functionality).

Then, in all pages requiring login access:
rights.asp:
That will make the user security persist. If a user is required to login, he is directed to the login page, and it remembers the page he came from. If he is logged in already, then its fine and dandy.

After we log the user in, we check if he was referred from a previous page:

If he was not, he goes to the designated page.

And finally we log the user out by calling a very simple logout script:

I've only illustrated the basic concepts here, you can get away with all of that by just including the user's ID or username and check that in your pages.

Hope that clarifies it for ya!

Gaz.

re: How to keep user logged in for session with ASP pages

Thanks Gaz. This is very helpful.

I am a novice programmer at best. Can you clear a few things up for me.

I have a login.html page that allows the user to enter their email address and password.

When they submit, it goes to logged.asp. This page currently verfies the user information and if it is correct, this same page shows the user account page with information from my database.
Then, from this page, they can go to edit.asp.

Pretty small webpage but I would like the user to be able to go back and forth to these two pages without having to log in everytime they visit each page.

So, should I enter:
on the logged.asp page or should I make the original login.html page an asp page and enter it there. (If so, where on the page should this code go?)

Then, should I simply enter:
on the top of both the logged.asp and edit.asp pages?

Lastly, I don't really understand where the myuserLevel variable comes from.
Does it automatically go to 3 when the user logs in?

I apologize for being so out of touch with ASP but I am learning thanks to people like yourself.

Jerry

re: How to keep user logged in for session with ASP pages

Hi Jerry,

I was illustrating some of the concepts I use - myuserLevel (per page) and userlevel (per user) in general. I use them as a way of showing or hiding pages, menu items and other things based on a user's rights. For example on corporate intranets, managers would have a higher user level and would see items that other staff members can not.

For your purposes, you don't really need to use user levels, you simply need to check if one session variable is set, I guess for you this would be the user's ID.

So your logged.asp page, the one that verifies the user's details, would set the variable after it has found their details.

One way would be to split the logged page into two. One that logs them in and one that shows them their profile, and then make that page and the edit page redirect them to the login one if they are not logged in.

So at the top of the two profile pages:

You may also want to think about combining the login page with the logged one.

Think of it this way: If the user was just on this page, and he pressed submit, bttnSubmit would = "Submit" in the querystring. If that is the case, process their login, otherwise show them the login form, whose action is the same page.

This can also apply to combining the profile pages into one, too.

Structured like this:

Select statement.

Check status of submit -> if = "submit"
..
..
rs("somevariable") = somevariablefrompost
rs.update
redirect to this page.

Else
Form whose action equals this page.
fields populated with values from recordset.
End If

Maybe that's a bit too much info at this point!

Gaz.

re: How to keep user logged in for session with ASP pages

Thanks again for all your help Gaz.

Here is what I have so far. I declared the session variable on my loggedin.asp page that is called when the user logs in on my login.html page. The following code is towards the end of my page after the user is verfied.

That takes me to my account page with the following session variable placed at the top of my page as seen below:


When I hit the logout button, it takes me to my logout.asp page but I can still type in the url or back button and it takes me back to my accountpage with the user information showing. However, if I hit a link to go to the account page or edit user page, it takes me directly to the login page. So, I believe it is working except for when you type in the exact url or hit the back button. If I wait the 20 minutes, I have to login again. How do I make it so if the back button or url is hit, I am taken to the login page after the user logs out?

Here is my logout.asp page code:

Any thoughts?

Thanks - Jerry

re: How to keep user logged in for session with ASP pages

sorry for so many posts.

I have the session variable working to a degree. it shows my user id up top as I navigate the website. However, I am encountering a huge problem. It doesn't matter who logs in, it always shows the first person in the database's information.

I declared my session variable like this:

I believe that "email" is coming from the login.html form page where the text box is named "email". Is this correct?

I'll continue to work on this throughout the night but if anyone understands why I am having this trouble, please let me know. Thanks in advance

Jerry