Creating a login script with ASP

Posted on May 31, 2002

in Code

by Neil McGill (Neil)

Rated 3.55 (Ratings: 3) (Add your rating)

Want more?

More articles in Code
More articles by Neil

Neil McGill

Member info | Full bio

User since: May 30, 2002

Last login: May 30, 2002

Articles written: 2

In a similar vein to Jesteruk's login with PHP articles, this article will show you how to do the same thing but with ASP.

So, how do you start?

The first thing you need to do is create a simple login page, which can look something like this:
Note: This will create JUST a form with text boxes. You can pad it out yourself.

Creating the login.asp page

<% Sub ShowLogin %>
<form name=form1 action=login.asp method=post>
User Name : <input type=text name=username>
Password : <input type=password name=userpwd>
<input type=hidden name=login value=true>
<input type=submit value="Login">
</form>
<% End Sub %>

The second input box has a type=password, what this does is cause the text typed in to be hidden (like *******). Also to note is that you want the action of the form to be the same page. This way we do not need a second page just to handle the checking of the password. I will talk about the hidden form element next. You will also see why we placed the form inside a subroutine later.

Before we add the code to check to see if the user name and password are correct we need to add some code to the top of login.asp to check to see if the form has been submitted.

Response.Expires = -1000 'Makes the browser not cache this page
Response.Buffer = True 'Buffers the content so our Response.Redirect will work
Session("UserLoggedIn") = ""

If Request.Form("login") = "true" Then 
    CheckLogin 
Else
    ShowLogin 
End If

This code will go at the top of login.asp to see if the form was submitted. If it was, then we will check the login, if not then we will show the login form.

Checking for correct login details

Next we will add the code for the CheckLogin subroutine to check to see if the username and password entered are correct. At this time there is no database connectivity, as there is only one user.

Sub CheckLogin
If LCase(Request.Form("username")) = "guest" And LCase(Request.Form("userpwd")) = "guest" Then 
    Session("UserLoggedIn") = "true"
    Response.Redirect "protectedpage.asp"
Else
    Response.Write("Login Failed.<br><br>")
    ShowLogin
End If
End Sub

The above code will check to make sure they have entered the login correctly. By setting the Session variable "UserLoggedIn" equal to "" we are basically logging the user out.

The protected pages

The only thing left to do is write the code to put at the top of the protected page to check to see if the user is logged in. This will redirect the user to the login page if UserLogginIn is not set.

Response.Expires = -1000 'Makes the browser not cache this page
Response.Buffer = True 'Buffers the content so our Response.Redirect will work

If Session("UserLoggedIn")  "true" Then 
    Response.Redirect("login.asp") 
End If

The Scripts in full

login.asp

<%
Response.Expires = -1000 'Makes the browser not cache this page
Response.Buffer = True 'Buffers the content so our Response.Redirect will work
Session("UserLoggedIn") = ""
If Request.Form("login") = "true" Then
    CheckLogin
Else
    ShowLogin
End If

Sub ShowLogin
%>

<form name=form1 action=login.asp method=post>
User Name : <input type=text name=username><br>
Password : <input type=password name=userpwd><br>
<input type=hidden name=login value=true>
<input type=submit value="Login">
</form>
>%
End Sub

Sub CheckLogin
If LCase(Request.Form("username")) = "guest" And LCase(Request.Form("userpwd")) = "guest" Then
    Session("UserLoggedIn") = "true"
    Response.Redirect "protectedpage.asp"
Else
    Response.Write("Login Failed.<br><br>")
    ShowLogin
End If
End Sub
%>

protectedpage.asp

<%
Response.Expires = -1000 'Makes the browser not cache this page
Response.Buffer = True 'Buffers the content so our Response.Redirect will work

If Session("UserLoggedIn")  "true" Then
    Response.Redirect("login.asp")
End If
%>

This page is full of password protected content.  If you are reading this you entered <br>
the correct name and password.

When not abusing his workplace's blisteringly fast internet connection to play time wasting games and being a lazy so and so, Neil tries to be a Web Developer for the University where he studies Computing.

11 comments on this article. Log in to add your comment | Rate this article:

One one thing I'd gripe about:

Submitted by sgd on May 31, 2002 - 10:50.

A better test to see if the form has been submitted is to use the Request.ServerVariables("REQUEST_METHOD") variable, which is set to "GET" or "POST" depending on how the request was submitted. That way you're ensured against someone populating the query string or trying to hack the request stream (well, it can be hacked, and to completely secure it you'd hafta do SSL and crap, but since that's whay beyond the scope of this article, we'll be happy with a Good Enoughtm solution =)

Good Enough

Submitted by Spyder on June 1, 2002 - 06:05.

Good Enoughtm - I just had to laugh at that... maybe I'm in a weird mood :D

COULDN'T GET THIS TO WORK...

Submitted by max5121 on May 12, 2004 - 11:31.

I copied and pasted the Full scripts into the login.asp page and protectedpage.asp pages... uploaded to webserver ... didn't work... does anyone have working version of this script... looks good, if I could get it to work.. // PS:: I probably screwed something up somewhere...

login.asp -fix

Submitted by elbundi on December 19, 2005 - 23:22.

>% 'place a less than tag before the End Sub End Sub

asp login page

Submitted by pmoreau on January 31, 2006 - 18:03.

How can you use this code to create more than one username & password combination and take them to different login pages without using a database?

Multiple Users

Submitted by tc3100 on December 5, 2006 - 20:43.

How can you use this code with multiple username/passwords and a database???

For Clarification of the login.asp -fix

Submitted by gbwisc23 on December 19, 2006 - 18:05.

If you copy and paste the code from login.asp, you need to change line 20 from '>%' to '<%'.

Fixed:
------
Line 19:
Line 20: <%
Line 21: End Sub

Adding protectedpage.asp - fix

Submitted by gbwisc23 on December 19, 2006 - 18:12.

Line 5 in the code is not showing up correctly if one copies and pastes... it needs to read:

If Session("UserLoggedIn") <> "true" Then

Question

Submitted by slg111875 on February 16, 2008 - 16:08.

I got everything working. However, I can bypass my login page and just type in URL http://www.XXXXXX/protectedpage.asp and still get to the protected page. Am I missing a step here? Once someone learns the link to the protected page, they don't have to know the username and password.

ABOVE CODE IS NOT THAT HELPFUL TO USE.

Submitted by tasam21 on May 27, 2008 - 10:03.

The code above had solve my problem but still has some problem there. As I type http://www.XXX.com/protectedpage.asp directly in the address bar and it show up that page without asking username and password so i think that code is not so secure could please guide me to overcome this problem. Thank You!

look at this sub

Submitted by couponsmarter on November 4, 2008 - 11:48.

look at this sub procedure
Sub CheckLogin
If LCase(Request.Form("username")) = "guest" And LCase(Request.Form("userpwd")) = "guest" Then
Session("UserLoggedIn") = "true"
Response.Redirect "protectedpage.asp"
Else
Response.Write("Login Failed.<br><br>")
ShowLogin
End If
End Sub
-------

Start of page header

Other Fine Evolt.org Sites

Navigation Starts

Submit

Article Categories

Highest rated articles

Recent comments

Main Page Content