Read me
  1. Setup
  2. Page Descriptions
    • db_conn.asp
    • login.asp
    • register.asp
    • whatsthis.asp
    • success.asp
    • inc_email.asp
    • redirect_example.asp
    • admin.asp
  3. Protecting pages
  4. Advanced
  5. FAQ's
  6. Disclaimer

' ---------------------------
' Overview
' ---------------------------

Individual web pages are protected by identifying a user and checking to see if they are allowed access to view that page.
The check is performed by logging in and finding if the user exists in the database.
If someone tries to access a page without logging in, they get redirected to login as either their "session" or "cookie" does not yet exist.
By logging in, a "session" and a "cookie" are set.
Each page to be protected MUST be saved as *.asp so that the protection script will work
Each page to be protected MUST have a script to identify the user (examples below)

' ---------------------------
' Setup
' ---------------------------

  • This login system is designed to be used with NT based servers and utilises Active Server Pages (asp).
  • Scripts must be enabled and you must have a directory for your database that is read/write.
  • The current directory structure must be retained. The files are recommended to be placed in the root of your web, but can be placed in their own directory. 
    The /includes and /images directories must be subdirectories of the folder that the root files are placed in.
  • db_conn.asp must be edited if your database is not placed in the default /fpdb/ directory

Steps to follow

  • Step 1 - Copy files (you've done that I guess!)
  • Step 2 - Check database diagnostics
  • Step 3 - Change Settings to suit requirements
  • Step 4 - Login as Spooky / Admin

  !  FrontPage
Files can be safely opened and edited with FrontPage 2000, but ensure FIRST that Tools > Page Options > HTML Source > is set to Preserve existing HTML.
Other wise, all editing can be done in Notepad or similar.

' db_conn.asp
' ---------------------------------------------

The current database status is listed in diagnostics.  Both read and write should read "OK"

  • Read
  • Write

' ---------------------------------------------
' login.asp
' ---------------------------------------------

Test Administrator Login :
= Spooky
Password = Admin
Test Login :
Username = Test
Password = Test

Login.asp has various triggers to enable features (set in the admin_system.asp file).
They are :

  • SendMail = True/False
    "True" enables the "Send me my password!" option for those with memories like a sieve. You must have a serverside asp email component, like those listed in the script, installed on your server.
    It will not work locally on PWS
  • UseCookie = True/False
    Allow store of details in cookie. Used for autologin and pre-filling 
    form fields 
    The user must choose to store cookies. Full details can be stored in cookies by selecting "Extended fields" in the settings page.
  • ClearCookie = True/False
    Allow the User to clear existing cookies
  • Authenticate = True/False
    Enable Email authentication. If register.asp is set up to send 
    Authentication / Access links via email, then login will be denied 
    unless the proper URL key is passed. Until then, the user will not be 
    allowed to login.
  • Auto_login = True/False
    When cookies are enabled, the user will automatically be authenticated if the details are correct and the user has allowed cookies with "use cookie"
    Autologin isn't normally necessary if only cookies are used for authentication
  • NT_AUTH = True/False
    Uses NT authentication to login users. Assumes you have filled the 
    database with valid NT account users. 
    Passwords are not required and auto_login is automatically enabled.
    You must be using a NON anonymous web and your user must have logged onto their PC. 
    All this does, is allows you to add additional information about the user which can be retrieved from the database and used.
    This is currently disabled as it is mainly used in an intranet environment
  • Redirecting from secure pages
    Where a user needs to be redirected to a login page (as they haven't logged in) Passing a url such as: 

    Response.Redirect "login.asp?Redirect=Pagename.asp"   
    (See protecting pages)

    will return them to the original page where access failed, after a correct login.
    With auto_login enabled, the user may not even notice the step occur.

The login page can be redesigned, as long as the form elements and asp code above the <head> tag remain.
It is also possible to post from a form on a  HTML page TO the login.asp page to process your Users logins.
The form MUST contain 2 text boxes (Username, T2) and a hidden input "DoForm" with a value of "True".
If the login fails, login.asp will then be displayed.

' ----------------------------------------------------
' Register.asp
' ----------------------------------------------------

This file allows your Users to register themselves, or you can enter registrations for them.
The page has requests for a minimal amount of user information, such as:

  • User name - Unique names are enforced
  • Password - The password you will use to access
  • Confirm - To prevent mistyping
  • First and last names
  • Email address - Emails are checked for correctness
  • Show email address - You can choose to have your address displayed (must be configured in your code)
  • User information, address, State, City etc

The required fields can be set in the administration settings pages and you can also choose which fields to display
Obviously, Username and Password are required. 
If the administration  settings are set up as "Authenticate" then email addresses are also forced as required.

Updating Users records

Register.asp also is used to allow users to update their profile (if configured)
A hyperlink to the registration page of : register.asp?UserUpdate=True is required to activate it.

' ----------------------------------------------------
' pop_ whatsthis.asp
' ----------------------------------------------------

Pop up window that is used to explain cookie and email password features.

' ----------------------------------------------------
' pop_ features.asp
' ----------------------------------------------------

Pop up window that is used to explain features used in the admin section
Note, this information is accessed by clicking on the features text in admin_users/system

' ---------------------------------------------------
' success.asp
' ---------------------------------------------------

Welcome page or error page, depends on setup.

It's the default page used, but can be redesigned or replaced as need be.
It is not a secure page, merely a results page. From here you can welcome or redirect visitors.
' ---------------------------------------------------
' inc_email.asp
' ---------------------------------------------------

Listing of all popular email component scripts.
You may need to contact your host or check their support pages to see what email component they use if no email is detected.
The currently available components are detected in diagnostics

There's a couple of variables that need changing in the settings page, to allow mail to be sent

strServer - Your Email server (not always needed - depends on the component) Your host will have this information. It is the SMTP server address that your email component uses.
Normally it will be something like

strFrom - Admin Email address (yours!). Be aware that some email components require the "from" email to be from that domain

All email formatting is carried out by the text files in the includes/email_templates/ directory.
You can personalise these files to suit your needs.
There is a read me in that directory with more information.

' ----------------------------------------------------
' redirect_example.asp
' ----------------------------------------------------

Demonstration of how redirect and/or auto_login works.
The session variable is cleared each time with a session.abandon call.
Its a good way of testing your security level or access settings.

' ----------------------------------------------------
' ----------------------------------------------------

Both pages have help files available by clicking on the text name next to the option boxes.
pop_features.asp is the help file that is used

' ----------------------------------------------------
' Protecting pages
' ----------------------------------------------------
Protection is given on a per page basis by a session based variable.

Here's a simple script to add to the top of your asp pages to protect them. IT ONLY WORKS WITH ASP PAGES!! :c)
It assumes login.asp is in the root directory.
The minimum protection is by checking Username is not empty

Each page that needs to be secure must have the script before the <html> tag in code view.

TIP - When pasting into FrontPage (HTML view) always paste formatted text like this into notepad first and then cut and paste into FrontPage to ensure html code is not added by mistake

If Session("UserName") = "" Then 
Response.redirect "/login.asp?Redirect=" &Request.Servervariables("URL")
End if

<html> etc....

The available session variables are :

Session("AccessLevel")  = "0-9 or Alphanumeric to 10 characters" 
Session("UserName") = "UserName" (Case sensitive)
Session("Admin") = "True/False"

To allow access based on user levels or admin status, you would modify the session type and value on the simple script.
Any combination of these variables can be used.

Access level based entry

Pages can be restricted to the Access level setting like so :

If Session("AccessLevel") <> "3" Then
Response.redirect "/login.asp?Redirect=" &Request.Servervariables("URL")
End if

Admin entry

Restrict page access to Admin's only

If Session("Admin") <> "True" Then
Response.redirect "/login.asp?Redirect=" &Request.Servervariables("URL")
End if

Cookie / Session Entry

To save database resources, using cookie check will speed up the checking process. If the session is empty, the user will still be redirected to the login page. This is the preferred method as Access databases can be hit hard when used in a web environment by more than 30 concurrent users.
NOTE : The name of the cookie can be modified in a_config.asp

If Session("UserName") = "" AND Request.cookies("Spooky")("T1aUs") = "" Then 
Response.redirect "/login.asp?Redirect=" &Request.Servervariables("URL")
End if

<html> etc....

Include pages

A method that reduces the amount of future page editing, is to use an include page to check the user has rights to view the page.
To do this, you would save the script of your choice (from above) as an asp page on your web site. 
The root directory is as good as any.

Now in the head of your page, in HTML view, place this code :

<!-- #include virtual="/yourFileName.asp" -->  

There is a ready made example in the 'examples' folder called 'inc_protection.asp'
This file checks both Session, cookie and expiry settings.

' ---------------------------------------------------------
' ---------------------------------------------------------

Additional advanced features can be configured in the a_config.asp file.
They are :

  • Page names for login / register (if changed)
  • How long to retain User history
  • Which records to keep,  all or latest unique login
  • Timeout of login (When Unique users are selected)
  • Maximum number of logins allowed by user
  • Default registration expiry
  • Cookie name
  • Set cookie automatically
  • Allow only 1 email per registration
  • Access Table prefix (if you want to prefix the existing table names with another identifier)
  • Default redirection (When logging out)
  • What type of redirection occurs (URL, FOLDER,PAGE)
  • Add drop down list of User group levels
  • Add automatic list server subscription
  • Allow Admin settings password
  • Display record count for Users

 Drop down lists for these options :

  • Country
  • State
  • How the user found the web
  • Group Access levels

Are located in the a_app_list.asp file

' ---------------------------------------------------------
' FAQ's
' ---------------------------------------------------------

Q: How safe is this method?

Also, I thought front page used the fpdb folder because it's private 
and can only be used by the server. Is the only security for your 
database it's unique name? 

It seems if someone knows the name of your db file, they can download 
and view the contents correct? Is there a way around this or is my 
server not working correctly?

The only SAFE way to store databases, is below the web root where they aren't accessible.

 I cant stress that enough.

Short of pass wording the access database, placing it in a non browse able folder via DSN theres little else you can do.
Obvious names and addresses shouldn't be used and should kept as unique as possible.

The security provided by cookies, asp and sessions should be considered low. 
It is a simple way of providing page based security that can  easily implemented.
It is not easily overridden but there are no guarantees

Some hosts will place databases below the root for you, and depending on your site and database content (e-comm etc), you should consult a security expert for expert help.


Q: Why do my users have to log back in after being away from their PC?

Sessions time out when not used. The default for an IIS4 server is 20 minutes. When this times out, the user is no longer recognized.
To change a session timeout, you use the command :

<%Session.Timeout = x %> Where x = minutes.

Be aware, the longer the session timeout value, the more server resources are used.
I don't recommend longer than the default of 20 minutes


Q: I've set an Admin password for system view, now I cant modify my system settings!

If you can't remeber the password, or the login used to access it here's what to do.
Download the current database. 
Open the config table.
Delete the g_admin_pw value.
Upload the database.
Press the "Reset" button on the menu .
This will reload the new config from the database


Copyright (c) 1999-2000 Spooky
All rights reserved.
This software and documentation constitute an unpublished work and contain valuable trade secrets and proprietary information belonging to Spooky
None of the foregoing material may be copied, duplicated or disclosed without the express written permission of Spooky.
You are permitted to use the software on multiple websites with the 1 user license if you are the Owner of those websites.
When producing websites for profit, each website, that you are not the owner, will require an additional license.


Spooky accepts no responsibility for the operation or performance of the Login system. The entire risk of use and consequences of use of Spooky Login falls completely on the Licensee and Spooky shall not be liable in any respect for any claims loss or injury alleged to have resulted from use of or in reliance on Spooky Login.
Licensee acknowledges that it has read the foregoing disclaimers of warranty and limitation of liability and understands that Licensee assumes the entire risk of using the Spooky Login.