How to keep user logged in for session with ASP pages

**GazMathias** · Nov 11 '08, 09:53 PM

When you log your user in, create some session variables that you check in code, I usually record their ID number (so I can log transactions against them) and their name (so I can display it to them on screen (Like Logout(Gaz))) nand finally their userlevel (for system functionality).

Code:

... previous code to authenticate user
... if user has authenticated:
session("username") = rs("shortname")
session("userid") = rs("userid")
session("userlevel") = rs("userlevel")

Then, in all pages requiring login access:

Code:

myuserLevel=3 ' we set a security rating for this page. any user with a rating less than this will be refused access.
<!--#include file="inc/rights.asp"-->

rights.asp:

Code:

<% 
If session("userlevel") = "" or session("userlevel") < myuserLevel then
    session("referrer")= Request.ServerVariables("URL") & "?" & Request.Querystring	'We record this page so the user gets redirected back here after login.
    response.redirect("login.asp")
   End if
%>

That will make the user security persist. If a user is required to login, he is directed to the login page, and it remembers the page he came from. If he is logged in already, then its fine and dandy.

After we log the user in, we check if he was referred from a previous page:

Code:

If session("referrer") ="" then
		response.redirect("index.asp")
		else
		response.redirect(session("referrer"))
		End If

If he was not, he goes to the designated page.

And finally we log the user out by calling a very simple logout script:

Code:

<%
Session.Contents.RemoveAll() ' do regardless, THEN
response.redirect("index.asp") 'bounce them back to the index page.

OR

Response.write("Thank you, you have been logged out, blah, blah blah")

%>

I've only illustrated the basic concepts here, you can get away with all of that by just including the user's ID or username and check that in your pages.

Hope that clarifies it for ya!

Gaz.

**jerrydigital** · Nov 12 '08, 06:33 AM

Thanks Gaz. This is very helpful.

I am a novice programmer at best. Can you clear a few things up for me.

I have a login.html page that allows the user to enter their email address and password.

When they submit, it goes to logged.asp. This page currently verfies the user information and if it is correct, this same page shows the user account page with information from my database.
Then, from this page, they can go to edit.asp.

Pretty small webpage but I would like the user to be able to go back and forth to these two pages without having to log in everytime they visit each page.

So, should I enter:

Code:

session("email") = rs("email") 
session("myuserlevel") = rs("myuserlevel")

on the logged.asp page or should I make the original login.html page an asp page and enter it there. (If so, where on the page should this code go?)

Then, should I simply enter:

Code:

myuserLevel=3
<!--#include file="inc/rights.asp"-->

on the top of both the logged.asp and edit.asp pages?

Lastly, I don't really understand where the myuserLevel variable comes from.
Does it automatically go to 3 when the user logs in?

I apologize for being so out of touch with ASP but I am learning thanks to people like yourself.

Jerry

**GazMathias** · Nov 12 '08, 09:32 AM

Hi Jerry,

I was illustrating some of the concepts I use - myuserLevel (per page) and userlevel (per user) in general. I use them as a way of showing or hiding pages, menu items and other things based on a user's rights. For example on corporate intranets, managers would have a higher user level and would see items that other staff members can not.

For your purposes, you don't really need to use user levels, you simply need to check if one session variable is set, I guess for you this would be the user's ID.

So your logged.asp page, the one that verifies the user's details, would set the variable after it has found their details.

One way would be to split the logged page into two. One that logs them in and one that shows them their profile, and then make that page and the edit page redirect them to the login one if they are not logged in.

So at the top of the two profile pages:

Code:

If session("somevariable") = "" Then
  response.redirect("loginpage.asp")
End If
...rest of content

You may also want to think about combining the login page with the logged one.

Think of it this way: If the user was just on this page, and he pressed submit, bttnSubmit would = "Submit" in the querystring. If that is the case, process their login, otherwise show them the login form, whose action is the same page.

This can also apply to combining the profile pages into one, too.

Structured like this:

Select statement.

Check status of submit -> if = "submit"
..
..
rs("somevariabl e") = somevariablefro mpost
rs.update
redirect to this page.

Else
Form whose action equals this page.
fields populated with values from recordset.
End If

Maybe that's a bit too much info at this point!

Gaz.

**jerrydigital** · Nov 14 '08, 02:34 AM

Thanks again for all your help Gaz.

Here is what I have so far. I declared the session variable on my loggedin.asp page that is called when the user logs in on my login.html page. The following code is towards the end of my page after the user is verfied.

Code:

<%
session("email") = objRS("email")

If (session("email")) = objRS("email") then
Response.Redirect("accountpage.asp")
End If
%>

That takes me to my account page with the following session variable placed at the top of my page as seen below:

Code:

<%@ Language=VBScript %>
<% Option Explicit %>
<!--#include virtual="/adovbs.inc"-->

<%
If session("email") = "" Then
    Response.Redirect "login1.html"
End If
%>

When I hit the logout button, it takes me to my logout.asp page but I can still type in the url or back button and it takes me back to my accountpage with the user information showing. However, if I hit a link to go to the account page or edit user page, it takes me directly to the login page. So, I believe it is working except for when you type in the exact url or hit the back button. If I wait the 20 minutes, I have to login again. How do I make it so if the back button or url is hit, I am taken to the login page after the user logs out?

Here is my logout.asp page code:

Code:

<%
Session.Abandon
%>

Any thoughts?

Thanks - Jerry

**jerrydigital** · Nov 14 '08, 05:25 AM

sorry for so many posts.

I have the session variable working to a degree. it shows my user id up top as I navigate the website. However, I am encountering a huge problem. It doesn't matter who logs in, it always shows the first person in the database's information.

I declared my session variable like this:

Code:

session("email") = objRS("email")

I believe that "email" is coming from the login.html form page where the text box is named "email". Is this correct?

I'll continue to work on this throughout the night but if anyone understands why I am having this trouble, please let me know. Thanks in advance

Jerry

How to keep user logged in for session with ASP pages

How to keep user logged in for session with ASP pages

Comment

Comment

Comment

Comment

Comment