' ---------------------------
' Overview
' ---------------------------
Individual web pages are protected by identifying a user and checking to
see if they are allowed access to view that page.
The check is performed by logging in and finding if the user exists in the
database.
If someone tries to access a page without logging in, they get redirected to
login as either their "session" or "cookie" does not yet exist.
By logging in, a "session" and a "cookie" are set.
Each page to be protected MUST be saved as *.asp so that the protection
script will work
Each page to be protected MUST have a script to identify the user (examples
below)
' ---------------------------
' Setup
' ---------------------------
Steps to follow
!
FrontPage
Files can be safely opened and edited with FrontPage 2000, but ensure FIRST that Tools
> Page Options > HTML Source > is set to Preserve existing HTML.
Other wise, all editing can be done in Notepad or similar.
---------------------------------------------
' db_conn.asp
' ---------------------------------------------
The current database status is listed in diagnostics. Both read and write should read "OK"
' ---------------------------------------------
' login.asp
' ---------------------------------------------
Test Administrator Login :
Username = Spooky
Password = Admin
Test Login :
Username = Test
Password = Test
Login.asp has various triggers to enable features (set in the admin_system.asp file).
They are :
The login page can be redesigned, as long as the form elements and asp
code above the <head> tag remain.
It is also possible to post from a form on a HTML page TO the
login.asp page to process your Users logins.
The form MUST contain 2 text boxes (Username, T2) and a hidden input "DoForm"
with a value of "True".
If the login fails, login.asp will then be displayed.
' ----------------------------------------------------
' Register.asp
' ----------------------------------------------------
This file allows your Users to register themselves, or you can enter
registrations for them.
The page has requests for a minimal amount of user information, such as:
The required fields can be set in the administration settings pages and you
can also choose which fields to display
Obviously, Username and Password are required.
If the administration settings are set up as "Authenticate" then email
addresses are also forced as required.
Updating Users records
Register.asp also is used to allow users to update their
profile (if configured)
A hyperlink to the registration page of : register.asp?UserUpdate=True
is required to activate it.
' ----------------------------------------------------
' pop_ whatsthis.asp
' ----------------------------------------------------
Pop up window that is used to explain cookie and email password features.
' ----------------------------------------------------
' pop_ features.asp
' ----------------------------------------------------
Pop up window that is used to explain features used in the admin section
Note, this information is accessed by clicking on the features text in admin_users/system
' ---------------------------------------------------
' success.asp
' ---------------------------------------------------
Welcome page or error page, depends on setup.
It's the default page used, but can be redesigned or
replaced as need be.
It is not a secure page, merely a results page. From here you can welcome or redirect visitors.
' ---------------------------------------------------
' inc_email.asp
' ---------------------------------------------------
Listing of all popular email component scripts.
You may need to contact your host or check their support pages to see what
email component they use if no email is detected.
The currently available components are detected in diagnostics
There's a couple of variables that need changing in the settings page,
to allow mail to be sent
strServer - Your Email server (not always needed - depends on the component)
Your host will have this information. It is the SMTP server address that your email component uses.
Normally it will be something like smtp.YourDomain.com
strFrom - Admin Email address (yours!). Be aware that some email components require the "from" email to be from that domain
All email formatting is carried out by the text files in the includes/email_templates/
directory.
You can personalise these files to suit your needs.
There is a read me in that directory with more information.
' ----------------------------------------------------
' redirect_example.asp
' ----------------------------------------------------
Demonstration of how redirect and/or auto_login works.
The session variable is cleared each time with a session.abandon call.
Its a good way of testing your security level or access settings.
' ----------------------------------------------------
admin_users.asp
admin_system.asp
' ----------------------------------------------------
Both pages have help files available by clicking on the text name next to
the option boxes.
pop_features.asp is the help file that is used
' ----------------------------------------------------
' Protecting pages
' ----------------------------------------------------
Protection is given on a per page basis by a session based variable.
Here's a simple script to add to the top of your asp pages
to protect them. IT ONLY WORKS WITH ASP PAGES!! :c)
It assumes login.asp is in the root directory.
The minimum protection is by checking
Username is not empty
TIP - When pasting into FrontPage (HTML view) always paste formatted text like this into notepad first and then cut and paste into FrontPage to ensure html code is not added by mistake
<%
Response.buffer=True
If Session("UserName") = "" Then
Response.redirect "/login.asp?Redirect="
&Request.Servervariables("URL")
End if
%>
<html> etc....
The available session variables are :
Session("AccessLevel")
= "0-9 or Alphanumeric to 10 characters"
Session("UserName") = "UserName" (Case sensitive)
Session("Admin") = "True/False"
To allow access based on user levels or admin status, you
would modify the session type and value on the simple script.
Any combination of these variables can be used.
Access level based entry
Pages can be restricted to the Access level setting like so :<%
Response.buffer=True
If Session("AccessLevel") <> "3" Then
Response.redirect "/login.asp?Redirect="
&Request.Servervariables("URL")
End if
%>
Admin entry
Restrict page access to Admin's only<%
Response.buffer=True
If Session("Admin") <> "True" Then
Response.redirect "/login.asp?Redirect="
&Request.Servervariables("URL")
End if
%>
Cookie / Session Entry
To save database resources, using cookie check will speed up the checking process. If the session is empty, the user will still be redirected to the login page. This is the preferred method as Access databases can be hit hard when used in a web environment by more than 30 concurrent users.<%
Response.buffer=True
If Session("UserName") = "" AND Request.cookies("Spooky")("T1aUs") = "" Then
Response.redirect "/login.asp?Redirect="
&Request.Servervariables("URL")
End if
%>
<html> etc....
Include pages
A method that reduces the amount of future page editing, is to use an
include page to check the user has rights to view the page.
To do this, you would save the script of your choice (from above) as an asp
page on your web site.
The root directory is as good as any.
Now in the head of your page, in HTML view, place this code :
<!-- #include virtual="/yourFileName.asp" -->
There is a ready made example in the 'examples' folder called
'inc_protection.asp'
This file checks both Session, cookie and expiry settings.
' ---------------------------------------------------------
Advanced
' ---------------------------------------------------------
Additional advanced features can be configured in the a_config.asp file.
They are :
Drop down lists for these options :
Are located in the a_app_list.asp file
' ---------------------------------------------------------
' FAQ's
' ---------------------------------------------------------
Q: How safe is this method?
Also, I thought front page used the fpdb folder because
it's private
and can only be used by the server. Is the only security for your
database it's unique name?
It seems if someone knows the name of your db file, they can download
and view the contents correct? Is there a way around this or is my
server not working correctly?
A:
The only SAFE way to store databases, is below the web root where they aren't accessible.
I cant stress that enough.
Short of pass wording the access database, placing it in a
non browse able folder via DSN theres little else you can do.
Obvious names and addresses shouldn't be used and should kept as unique as possible.
The security provided by cookies, asp and sessions should be considered
low.
It is a simple way of providing page based security that
can easily implemented.
It is not easily overridden but there are no guarantees
Some hosts will place databases below the root for you, and depending on your site and
database content (e-comm etc), you should consult a security expert for expert help.
----------------
Q: Why do my users have to log back in after being away from their PC?
A:
Sessions time out when not used. The default for an IIS4 server is
20 minutes. When this times out, the
user is no longer recognized.
To change a session timeout, you use the command :
<%Session.Timeout = x %> Where x = minutes.
Be aware, the longer the session timeout value, the more server resources
are used.
I don't recommend longer than the default of 20 minutes
----------------
Q: I've set an Admin password for system view, now I cant modify my system settings!
A:
If you can't remeber the password, or the login used to access it here's
what to do.
Download the current database.
Open the config table.
Delete the g_admin_pw value.
Upload the database.
Press the "Reset" button on the menu .
This will reload the new config from the database
---------------------------------------------------------
COPYRIGHT NOTICE
Copyright (c) 1999-2000 Spooky
All rights reserved.
This software and documentation constitute an unpublished work and contain valuable
trade secrets and proprietary information belonging to Spooky
None of the foregoing material may be copied, duplicated or disclosed without
the express written permission of Spooky.
You are permitted to use the software on multiple websites with the 1 user
license if you are the Owner of those websites.
When producing websites for profit, each website, that you are not the
owner, will require an additional license.
----------------------------------------------------------
SPOOKY LOGIN IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.
SPOOKY DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED,
INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. IN NO EVENT SHALL SPOOKY OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING
DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES.
-----------------------------------------------------------
LICENSEE ACCEPTS Spooky Login "AS IS" "WITH ALL FAULTS",
Spooky accepts no responsibility for the operation or performance of the Login system. The entire risk of use and consequences of use of
Spooky Login falls completely on the Licensee and Spooky shall not be liable in any respect for any claims loss
or injury alleged to have resulted from use of or in reliance on Spooky Login.
Licensee acknowledges that it has read the foregoing disclaimers of warranty
and limitation of liability and understands that Licensee assumes the entire risk of using the Spooky Login.