|
Admin Login System
Building an admin log in system is pretty simple for s small
site. You don't need a username so a password is acceptable
for log in and you can wrtie your password into the code.
However because it is an admin section it needs to be fairly
secure - no having the password available for hackers to find
in the source code.
Solution - a simple server side scription. The password will
be in the code but because it is server side is will never
reach the end user and so they cannot get hold of it.
For this you will need 3 pages. A main page, a log in and
page and log out page.
index.asp
login.asp
logout.asp
Because we need it to be fairly secure I am going to use
a session cookie for the password. Lets start with the main
page.
<%
If Session("adminpassword") <> "dog"
Then
Response.Redirect ("login.asp")
End If
%>
<html>
<head>
<title>Admin Homepage</title>
</head>
<body>
<p>Welcome to the admin secction.</p>
</body>
</html>
For this I have choosen the pasword "dog."
If this is not present in a session cookie called adminpassword,
the iser will be redirected to login.aso. Lets look at that
now.
<html>
<head>
<title>Admin Log In</title>
</head>
<p>Please enter the admin password:</p>
<form action="login.asp" method="post"
name="login_form" id="login_form">
<input name="password" type="password"
id="password" size="40">
<input type="submit" name="Submit"
value="Log In">
</form>
</body>
</html>
The first thing I have done is to add a form called "login_form"
to allow the user to log in. In the form I have placed a text
field called "password" and a submit button so they
can type in the password and click submit to log in. This
sends the user and the form variable, "password"
to login.asp (the same page but reloaded). Now we need to
add some server side scripting to the top of the game above
the <html> tag.
<%
' checks to see if the password has been submitted
If Request.Form ("password") <> ""
Then
' it has so writes in the session cookie
Session ("adminpassword") = Request.Form("password")
' if the user's password is correct they should now be able
' to gain access to the main page
' if they entered an incorrect password they will be
' redirected back here. Because the form variable
' is not sent when they are redirected back here
' they will not be redirected back to index.asp
Response.Redirect ("index.asp")
%>
If the password is incorrect, eg, they entered a password
that is different from "dog" eg they entered "cat"
it will still be saved in the session variable and the user
will still be redirected to index.asp, but because the password
is not "dog" they will be redirected back here again.
The fact that the incorrect password is saved in the session
cookie allows us to give the user some more information when
they are redirected back to login.asp because index.asp won't
give them access.
<%
' if the user is on login.asp but still has a password
' in the session cookie, they must have entered
' and incorrect password
If Session ("adminpassword") <> ""
Then
%>
<p>You entered an incorrect password.</p>
<%
End If
%>
You can then insert the script that we placed at the top
of index.asp to all the pages you want protecting. To save
yourself having to change the script on every protected page
when you want to change the password, you could also save
the script, by itself, in a seperate file and use file include
to all the pages you want protecting.
<!--#include file="passwordcheck.asp"
-->
You can then just update the script in passwordcheck.asp
and all the protected pages would now use the new password.
Finally we need to create a log out page for the user to
logout, to stop anyone else getting in after the user is done.
This maybe not be needed if you are on a home pc which nobody
else has access to but you might want to build one anyway.
The log out page is amazingly simple.
<%
Session.Abandon ()
Response.Redirect ("index.asp")
%>
This should log the user out. If the user has not been logged
out for some reason they will know because they will gain
access to index.asp when they are redirected to it. If the
user has been logged out sucessfully, index.asp will redirect
them to login.asp and so they will know they have been logged
out.
Now just o make it easier on you I will include the full
source code including links, html and asp code, ready for
you to copy and paste into your text editor and save as the
appropriate files.
index.asp
<%
If Session("adminpassword") <> "dog"
Then
Response.Redirect ("login.asp")
End If
%>
<html>
<head>
<title>Admin Homepage</title>
</head>
<body>
<p>Welcome to the admin secction.</p>
<p><a href="logout.asp">Click here to
log out.</a></p>
</body>
</html>
login.asp
<%
' checks to see if the password has been submitted
If Request.Form ("password") <> ""
Then
' it has so writes in the session cookie
Session ("adminpassword") = Request.Form("password")
' if the user's password is correct they should now be able
' to gain access to the main page
' if they entered an incorrect password they will be
' redirected back here. Because the form variable
' is not sent when they are redirected back here
' they will not be redirected back to index.asp
Response.Redirect ("index.asp")
%>
<html>
<head>
<title>Admin Log In</title>
</head>
<p>Please enter the admin password:</p>
<form action="login.asp" method="post"
name="login_form" id="login_form">
<input name="password" type="password"
id="password" size="40">
<input type="submit" name="Submit"
value="Log In">
</form>
</body>
</html>
logout.asp
<%
Session.Abandon ()
Response.Redirect ("index.asp")
%>
|
