Logins and Permissions, Part 3
By Peter McMahon
Read Part 1
Read Part 2
In Part 2 we looked at creating a menu based upon the person who was
logged in. In this part, we'll look at how to secure our "sensitive" Web pages so that users cannot slip by
our login screen and view information they're not suppose to see!
Securing the Pages
The above method of creating a secure login is utterly useless unless you individually secure each page. Unless you do this, the script will have the same effectiveness as a client-side JavaScript login where
the user is simply redirected if they log in successfully. There is nothing stopping you from going directly to the main page, or any of the other pages that are supposedly secured. The secret to preventing this
is to be able to check whether the user has logged in. A session variable is possibly the best solution for checking to see whether the user has recently logged in and what permissions they have. The session
variable Status is defined in the login script (if you log in successfully of course). Obviously if you do not login, the session variable will not be set. Each secure page will require a few short
lines to check whether the user has logged in. This code then needs to redirect the user to the login page, thus disallowing them to view the contents of the secured page. Here's the code used:
<%
Response.Buffer = True
If Session.Contents("status") <> "Administrator" Then
Response.Redirect "login.html"
End If
%>
<HTML>
...Rest of HTML/ASP code here...
|
This needs to be placed at the top of every page that needs to be secured. You could use a server-side include to reduce this to one line though, with a file named secure.inc with the following code in it:
<%
Response.Buffer = True
If Session.Contents("status") <> "Administrator" Then
Response.Redirect "login.html"
End If
%>
|
And then this code at the top of each page:
<!-- #INCLUDE FILE="secure.inc" -->
|
Another important factor is the presence of the actual status of the user. In the above example, only users who have logged in as an Administrator will be allowed to access the page. This could be replaced
with the other classes or groups of users that you may have, such as customers and salespersons, like this:
<%
Response.Buffer = True
If Session.Contents("status") <> "Customer" Then
Response.Redirect "login.html"
End If
%>
|
Your administrative users will generally be allowed to view everything on the site, so you must add another condition to the if statement, allowing two user classes to have access to that particular page. It is
simply a matter of adding AND Session.Contents("status") <> "Administrator" to the If statement, like this:
<%
Response.Buffer = True
If Session.Contents("status") <> "Customer" AND _
Session.Contents("status") <> "Administrator" Then
Response.Redirect "login.html"
End If
%>
|
This code provides a very basic, yet secure login solution. If however, you'd like something a little more secure, then read
Part 4!.
Read Part 4!
| 
