Hi Matt,
There are a number of things you can do here. For the login, is it
necessary to give your applications its own user account system? Nothing
frightens users more than yet another username and password to remember. If
you have a domain, I suggest using Windows authentication and managing your
users by their usernames, or better yet, by their SIDs.
As far as keeping unauthorized people out, if you use Windows
authentication, you don't have to worry about people logging in and out and
having sessions. Instead, you have to develop a system by which you can
manage users permissions or access. If your app is as simple as users have
all access or no access, then it's a matter of having a DB with a list of
user accounts that are authorized to the application. Or you can go a
totally different route and have domain group membership determine which
users are authorized to your application. Using group memberships will make
things much simpler to manage, imo.
JoeUser: "Can I have access to this application?"
You: "Yes, one moment."
net group MyApplicationGroup JoeUser /add /domain
You: "Okay, go ahead. You have access now."
And then within your application, create an include file that is in all your
protected pages with a test like so:
<%
If Not IsAuthorized Then Response.Redirect "/notauthorized.asp"
Function IsAuthorized()
Const GROUP_NAME = "YOURDOMAIN/MyApplicationGroup"
Dim sAuthUser
Dim oGroup, oUser
IsAuthorized = False
sAuthUser = Request.ServerVariables("AUTH_USER")
If Len(sAuthUser) > 0 Then
sAuthUser = Replace(sAuthUser, "/", "\")
Set oGroup = GetObject("WinNT://" & GROUP_NAME & ",group")
Set oUser = GetObject("WinNT://" & sAuthUser & ",user")
IsAuthorized = oGroup.IsMember(oUser.ADsPath)
Set oGroup = Nothing
Set oUser = Nothing
End If
End Function
%>
If you put that in an include and include it in all your pages, it will
protect them (assuming I didn't screw up the code). In order for the
AUTH_USER variable to be populated, you have to turn off anonymous access
for your application within IIS.
http://www.iisfaq.com/?View=A26 If I
babbled, it's because I thought as I typed.
Ray at work
"Matt" <ma**@discussions.microsoft.com> wrote in message
news:04****************************@phx.gbl...
Hiya
I have to develop a web application for my company in
which I need to have a facility for username and password
for the employees to do certain tasks. How can this be
implemented in ASP. I am thinking of having usernames and
passwards (encrypted) in database and when a person tries
to log in, the script will compare those stored in databse
to the values entered by user. But after the user has
logged in, how can I make sure that the user is always
logged in as user move from one page to another. Also how
I make sure that the user is logged out properly.
Basically my main concern is that no unauthorized user can
access any part of that web app.
Any ideas will be highly appreciated.
Thanks,
Matt.
