Protection of pages ASP using session variables

Example of ASP programming

Below is an example of how to protect access to the pages of a website, using the ASP language. The example shows how to protect a single page inizia.asp, using the following four ASP files:

pasx.txt
check.asp
login.asp
destroy.asp

The basic logic is quite simple: once the login has been verified, a session variable is set session("autorizzato"), which will remain active as long as the server keeps the session active and which will then be checked when each page to be protected is visited.

For reasons of simplicity, all usernames and their respective passwords are contained in a plain text file - pasx.txt -, although this data is commonly stored in a database with encrypted passwords.

The contents of the file pasx.txt are as follows.

prova~:~prova
test~:~test
tentativo~:~tentativo

where each line of the file contains a pair (userid,passwd) separated by the special characters ~:~.

The check is carried out using the script check.asp, which checks whether the authorised session variable is active: if it is, the code then displays the protected page; if not, it redirects the user to the script destroy.asp, which destroys the session and provides a message to the user (described later).

The contents of the check.asp file are shown below.

<%
if session("autorizzato") <> 1  then response.redirect("destroy.asp")
%>

Once the session ("authorised") variable has been activated, any page that includes the check.asp script will be displayed without any problems. Therefore, all pages to be protected must contain the following line of code before the tag:

<!-- #include file="check.asp" -->

The login.asp script shows the user the login form (where the user and password must be entered) and checks that the values entered match one of the pairs in the pasx.txt file. If the user is authorised, he is redirected to the first protected page (in this case inizia.asp). Otherwise, the script is executed, which deletes all the contents of the open session and displays an error or unauthorised access message to the user.

The contents of the login.asp file are as follows.

<%
if session("autorizzato") = 1 then response.redirect("inizia.asp")
invio = request("invio")
if (invio = "invio") then
	userid = request("userid")
	passwd = request("passwd")
	percorsopasx = Server.MapPath("testi/pasx.txt")
	Set oggettoFileSystem = Server.CreateObject("Scripting.FileSystemObject")
	Set oggettoFile = oggettoFileSystem.OpenTextFile(percorsopasx, 1)
	trovato = false
	do while not(oggettoFile.AtEndOfStream) and not(trovato)
		linea = oggettoFile.ReadLine
		if (InStr(linea, userid) > 0) then trovato = true end if
	loop
	oggettoFile.close
	Set oggettoFileSystem = nothing
	Set oggettoFile = nothing
	userdata = split(linea,  "~:~", -1, 1)
	password = trim(userdata(1))
	if ((trovato)  and (passwd = password) ) then
		session("autorizzato") = 1
		response.redirect("inizia.asp")
	else
		response.redirect("destroy.asp")
	end if
else
' HTML %>
<table border="0" cellspacing="0" cellpadding="4" border="0" bgcolor="#FF0000">
  <tr>
    <td>
      <form method=post action="login.asp">
      inserite nome utente e password
        <table width="300" cellpadding="4" cellspacing="1" align="center">
          <tr>
            <td>
              nome utente: 
            </td>
            <td>
              <input type="text" name="userid">
            </td>
          </tr>
          <tr>
            <td>
              password: 
            </td>
            <td>
              <input type="password" name="passwd">
            </td>
         </tr>
         <tr>
            <td colspan="2">
              <input type="submit" name="invio" value="invio">
              &nbsp;&nbsp;
              <input type="reset" name="cancella" value="cancella">
            </td>
         </tr>
       </table>
     </form>
   </td>
  </tr>
</table>
<% 'fine HTML
End if
%>

The contents of the destroy.asp file are as follows.

<%
session("autorizzato") = -1
Session.Abandon
%>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<HTML>
<head>
<title> LogOut </title>
<meta name="Generator" content="EditPlus">
<meta name="Author" content="">
<meta name="Keywords" content="">
<meta name="Description" content="">
</head>
<body>
<h3>Area Riservata - Accesso non autorizzato</h3>
<br>
effettuate il <a href="login.asp">login</a>
</body>
</html>

In general, the session can be terminated in two ways: by closing the browser or by calling the destroy.asp; script; obviously, destroy.asp is used when we want to force the deletion of the session.

The scripts shown in this brief example are obviously not complete and must be properly integrated into the website pages. Below is an example of a page protected by the authorised session variable, inizia.asp.

<!-- #include file="check.asp" --> 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<HTML>
<head>
<title> Pagina di test - ASP login </title>
<meta name="Keywords" content="">
<meta name="Description" content="">
</head>
<body>
Esempio: login effettuato con successo
</body>
</html>

Domains

Email

Hosting

site-builder

Virtual servers

physical servers

Cloud

Other cloud services

All security services

Server & PC Security

Website Security

antivirusantispam

sslcertificates

networksecurity

All services

File Sharing

Backup

Repository

File System

All Trust Services

SPID

RAO

ElectronicInvoicing

SubstitutiveConservation

Certified Emails

Digital Signature

SMS services

Cloud Microsoft Services

Business Area

Protection of pages ASP using session variables

Example of ASP programming

antivirus
antispam

ssl
certificates

network
security

Electronic
Invoicing

Substitutive
Conservation