Password protection for certain areas of your website

Many people want to "password protect" their website.  There are a few ways to do this:  Java script (not very secure if a basic script), text file (not bad, but is a flat file and cannot handle many users) or an .asp database page.  

Since we are most concerned about web databases in this article we would assume that you would be using an .asp solution.  Either Access or SQL work; both populate data to a table.  The only difference is the number of users each program can handle at the same time.  

An .asp solution also normally includes a cookie; which is why "cookies must be enabled" to view most database driven sites, no cookie; no value to query, therefore no results.

The input from the text box and creates a "session variable".  This unique identifier can then be used to query the database to display dynamic content personalized for each viewer.  Here's an example:  yourdomain.cam/database/seemyprofile.asp?userID=<%=user_name%>

In the above example someone would login and want to see their profile.  They would click on this link that would display results on the seemyprofile.asp page, sorted by their user name, which is taken from the "session variable" that was created when they first logged in.

In most cases it is good to use pre-made or "canned" scripts for this type of functionality.  By hunting around you can find some decent free scripts, or for more powerful code you can pay anywhere from $15-300.00. 

Why would you pay money for this type of script?  Well, the more advanced ones have additional functionality which can be very handy, things like:

• Confirm that there is only 1 user logged in with those credentials

• Count the number of times or frequency of logins by user

• More robust security features and URL hashing

Sometimes it makes sense to pay a bit of money for a good quality script.   Like always we feel you get what you pay for....

If you decide you want to code one by yourself you will need:

1. A registration page.  This populates the database

2. A "bad login" page.  This is your "bounce page", No soup for you...

3. A "login" page. Enter your user ID and password.

4. A "checklogin" page and a "shared" page which checks the database and sets a cookie.  These pages are the backend of the application and not seen by the visitor. 

5. A Welcome to the website, you have authenticated!!" page.

Normally:  
*  You see the registration page, and enter you information.
*  You register successfully and then have to login again (sometimes upon successful login an email is sent that you must respond to before your listing is active).
*  You login, but before you see another page behind the scenes the server consults the checklogin and shared.asp files.  If both are present and credentials are valid you then see the welcome page.  
*  Now that you are on a welcome page and successfully logged in you can query the database, usually using the "session variable" tag" Example:
yourdomain.cam/database/seemyprofile.asp?userID=<%=user_name%>

To password protect a new page in the same folder you add an "include" at the top of the page, above the HTML tag, similar to the following example:

<!--#include file="shared.asp" -->
<!--#include file="checklogin.asp" -->

A note on security and creating your forms

Active server pages are secure since if you view the page source you only see the HTML, not the connection string to the other server.  Most pre-scripted login pages include a routine to check and see if this user is actually logged in before displaying the results.  For example; if I knew your login and the dynamic page to query I could try putting http://www.mydomain.com/results.asp?name=John  in my browser and may be able to view your results.   If I was not logged in at that time I would get an error or be returned to the login page.

If you want to display database results in a more secure manner you can create forms with an output in "post" to your results page or hash the URL.  Check out the URL at the top of the page in your webmail program.  It will look something like this:

emal.com/login.asp?Login=SLFD6&46AS65464&546465&JLFJSL

Additional information has been added to the data to disguise the origin or run a script.  No one can bookmark and then view this info; it's been "hashed" so it's practically impossible to crack unless you know the underlying variables, which is unlikely.  This functionality is a must for any e-commerce application.

How to manage database sites once they are live on the Internet.

Once a dynamic website is up and running it can run for months without serious intervention.  Some of our sites are updated and administered entirely over the Internet.  In this case you create a hidden page to update, delete, sort the information which is then available to the public.  

Or, if you are using a product like SQL or Oracle you have a web "interface" or "viewer" that allows you to see and edit/delete/create tables.

Other projects that are more at home on a spreadsheet (financial results, monthly sales volumes, etc) are easy to link to a database, with a little setup.  Create a "linked" table in Access pointing to the spreadsheet.  When the data is updated on the spreadsheet it is populated to the database.  Anyone viewing the data then see's the new values from the spreadsheet populated to the database.

If you are uploading to an SQL server and want to edit your data locally before showing it to the world you can create an Access Project - this will prompt you for the SQL IP and login; once authenticated you can edit your tables from there.  When you close the table the changes are populated to the database.