In part I, we created a simple password protection for a single user to protect part of a website. Now, we will explore how to add error messages, allow users to logout/re-login, and query a database for the user name and password entered.

Updating the current script

First of all, we are building on the code already produced in part I. Find the code in the login.asp from part I shown below:

login.asp

If Request.Form("login") = "true" Then

CheckLogin

Else

ShowLogin

End If

And replace it with:

login = Request.Form("login")

If login = "logout" Then

Session("UserLoggedIn") = ""

ShowLogin

Else

If Session("UserLoggedIn") = "true" Then

AlreadyLoggedIn

Else

If login = "true" Then

CheckLogin

Else

ShowLogin

End If

End If

End If

Next we will add the subroutine AlreadyLoggedIn to tell the user they are logged in and ask if they want to logout/login again.

<%

Sub AlreadyLoggedIn

%>

You are already logged in.

Do you want to logout or login as a different user?

<form name=form2 action=login.asp method=post>

<input type=submit name=button1 value="Yes">

<input type=hidden name=login value="logout">

</form>

<%

End Sub

%>

Error Checking

Now to add error checking we need to declare a global error message variable, add code to format the error message and print out the message if needed.

Declare the variable to hold the error message near the top of the login page.

Dim Error_Msg

And we add this little bit of code to the beginning of the login form. This will print out an error message if there is one.

Response.Write(Error_Msg & "<br>")

What about other users?

Well, now all that is left to do add the code that checks the user name and password against a database. In order to do this we will rewrite the CheckLogin subroutine from Part I.

Sub CheckLogin

If LCase(Request.Form("username")) = "guest" And LCase(Request.Form("userpwd")) = "guest" Then

Session("UserLoggedIn") = "true"

Response.Redirect "protectedpage.asp"

Else

Response.Write("Login Failed.<br><br>")

ShowLogin

End If

End Sub

will now look like this: (assuming you use an Access Database - change the connections if different)

Sub CheckLogin

Dim Conn, cStr, sql, RS, username, userpwd

username = Request.Form("username")

userpwd = Request.Form("userpwd")

Set Conn = Server.CreateObject("ADODB.Connection")

cStr = "DRIVER={Microsoft Access Driver (*.mdb)};"

cStr = cStr & "DBQ=" & Server.MapPath("\path\to\database.mdb") & ";"

Conn.Open(cStr)

sql = "select username from UserTable where username = '" & LCase(username) & "'"

sql = sql & " and userpwd = '" & LCase(userpwd) & "'"

Set RS = Conn.Execute(sql)

If RS.BOF And RS.EOF Then

Error_Msg = "Login Failed. Try Again."

ShowLogin

Else

Session("UserLoggedIn") = "true"

Response.Redirect "protectedpage.asp"

End If

End Sub

We also need to take out the line of code that sets the Session variable equal to "". What this did was logout our user anytime they pulled up the login page. The code is:

Session("UserLoggedIn") = ""

And that's it. Your pages are now protected and multiple users can access them.

The Scripts in full

login.asp

<%

Response.Expires = -1000 'Makes the browser not cache this page

Response.Buffer = True 'Buffers the content so our Response.Redirect will work

Dim Error_Msg

login = Request.Form("login")

If login = "logout" Then

Session("UserLoggedIn") = ""

ShowLogin

Else

If Session("UserLoggedIn") = "true" Then

AlreadyLoggedIn

Else

If login = "true" Then

CheckLogin

Else

ShowLogin

End If

End If

End If

Sub ShowLogin

Response.Write(Error_Msg & "<br>")

%>

<form name=form1 action=login.asp method=post>

User Name : <input type=text name=username><br>

Password : <input type=password name=userpwd><br>

<input type=hidden name=login value=true>

<input type=submit value="Login">

</form>

>%

End Sub

Sub AlreadyLoggedIn

%>

You are already logged in.

Do you want to logout or login as a different user?

<form name=form2 action=login.asp method=post>

<input type=submit name=button1 value="Yes">

<input type=hidden name=login value="logout">

</form>

<%

End Sub

Sub CheckLogin

Dim Conn, cStr, sql, RS, username, userpwd

username = Request.Form("username")

userpwd = Request.Form("userpwd")

Set Conn = Server.CreateObject("ADODB.Connection")

cStr = "DRIVER={Microsoft Access Driver (*.mdb)};"

cStr = cStr & "DBQ=" & Server.MapPath("\path\to\database.mdb") & ";"

Conn.Open(cStr)

sql = "select username from UserTable where username = '" & LCase(username) & "'"

sql = sql & " and userpwd = '" & LCase(userpwd) & "'"

Set RS = Conn.Execute(sql)

If RS.BOF And RS.EOF Then

Error_Msg = "Login Failed. Try Again."

ShowLogin

Else

Session("UserLoggedIn") = "true"

Response.Redirect "protectedpage.asp"

End If

End Sub

%>

protectedpage.asp

<%

Response.Expires = -1000 'Makes the browser not cache this page

Response.Buffer = True 'Buffers the content so our Response.Redirect will work

If Session("UserLoggedIn") <> "true" Then

Response.Redirect("login.asp")

End If

%>

This page is full of password protected content. If you are reading this you entered <br>

the correct name and password.