username and password ....

Re: username and password ....

"Matt" <matt@discussio ns.microsoft.co m> wrote in message
news:045801c3ce 61$b5d9b840$a30 1280a@phx.gbl.. .[color=blue]
> Hiya
> I have to develop a web application for my company in
> which I need to have a facility for username and password
> for the employees to do certain tasks. How can this be
> implemented in ASP. I am thinking of having usernames and
> passwards (encrypted) in database and when a person tries
> to log in, the script will compare those stored in databse
> to the values entered by user. But after the user has
> logged in, how can I make sure that the user is always
> logged in as user move from one page to another. Also how
> I make sure that the user is logged out properly.
> Basically my main concern is that no unauthorized user can
> access any part of that web app.
> Any ideas will be highly appreciated.[/color]



Regards,
Peter Foti

Re: username and password ....

Hi Matt,

There are a number of things you can do here. For the login, is it
necessary to give your applications its own user account system? Nothing
frightens users more than yet another username and password to remember. If
you have a domain, I suggest using Windows authentication and managing your
users by their usernames, or better yet, by their SIDs.

As far as keeping unauthorized people out, if you use Windows
authentication, you don't have to worry about people logging in and out and
having sessions. Instead, you have to develop a system by which you can
manage users permissions or access. If your app is as simple as users have
all access or no access, then it's a matter of having a DB with a list of
user accounts that are authorized to the application. Or you can go a
totally different route and have domain group membership determine which
users are authorized to your application. Using group memberships will make
things much simpler to manage, imo.

JoeUser: "Can I have access to this application?"
You: "Yes, one moment."
net group MyApplicationGr oup JoeUser /add /domain
You: "Okay, go ahead. You have access now."


And then within your application, create an include file that is in all your
protected pages with a test like so:

<%

If Not IsAuthorized Then Response.Redire ct "/notauthorized.a sp"


Function IsAuthorized()
Const GROUP_NAME = "YOURDOMAIN/MyApplicationGr oup"
Dim sAuthUser
Dim oGroup, oUser

IsAuthorized = False

sAuthUser = Request.ServerV ariables("AUTH_ USER")
If Len(sAuthUser) > 0 Then
sAuthUser = Replace(sAuthUs er, "/", "\")


Set oGroup = GetObject("WinN T://" & GROUP_NAME & ",group")
Set oUser = GetObject("WinN T://" & sAuthUser & ",user")
IsAuthorized = oGroup.IsMember (oUser.ADsPath)
Set oGroup = Nothing
Set oUser = Nothing
End If
End Function

%>


If you put that in an include and include it in all your pages, it will
protect them (assuming I didn't screw up the code). In order for the
AUTH_USER variable to be populated, you have to turn off anonymous access
for your application within IIS. http://www.iisfaq.com/?View=A26 If I
babbled, it's because I thought as I typed.

Ray at work





"Matt" <matt@discussio ns.microsoft.co m> wrote in message
news:045801c3ce 61$b5d9b840$a30 1280a@phx.gbl.. .[color=blue]
> Hiya
> I have to develop a web application for my company in
> which I need to have a facility for username and password
> for the employees to do certain tasks. How can this be
> implemented in ASP. I am thinking of having usernames and
> passwards (encrypted) in database and when a person tries
> to log in, the script will compare those stored in databse
> to the values entered by user. But after the user has
> logged in, how can I make sure that the user is always
> logged in as user move from one page to another. Also how
> I make sure that the user is logged out properly.
> Basically my main concern is that no unauthorized user can
> access any part of that web app.
> Any ideas will be highly appreciated.
> Thanks,
> Matt.
>[/color]

Re: username and password ....

mat thereis virtually no way of keeping people out of your application if they
really want in it. looks like a training issue to me