Creating a Members Area in ASP

The login form

The login form is a relatively simple affair. It prompts the user for a username and password, validates it against the database, and if the username/password combination is valid, it saves a variable saying so in the Session data.

Note
Using sessions requires the use of cookies (unless you are using ASP.NET, which allows the session value to be stored in the URL) - users with cookies disabled will not be able to login.

Copy the code below into login.asp, and then we'll take a closer look.

login.asp

<%
Option Explicit
Dim strError, strSQL, objRS
'see if the form has been submitted
If Request.Form("action")="login" Then
   'the form has been submitted

   '// validate the form

   'check if a username has been entered
   If Request.Form("username") = "" Then _
       strError = strError & "- Please enter a username<br>" & vbNewLine

   'check if a password has been entered
   If Request.Form("password") = "" Then _
       strError = strError & "- Please enter a password<br>" & vbNewLine 

   '// check if an error has occured
   If strError = "" Then
      'continue
      'include database connection code
      %>
      <!--#include file="inc-dbconnection.asp"-->
      <%

      '// create the SQL
      strSQL = "SELECT id,password FROM members WHERE username='" & _
         fixQuotes(Request.Form("username")) & "'"

      '// run the SQL
      Set objRS = objConn.Execute (strSQL)
      '// see if there are any records returned
      If objRS.EOF Then
          'no username found
          strError = "- Invalid username or password<br>" & vbNewLine
      Else
          'check password
          If objRS("password")=Request.Form("password") Then
               'username/password valid
               'save session data
               Session("loggedin") = True
               Session("userid") = objRS("id")
               'redirect to members area
               Response.Redirect ("default.asp")
               Response.End
          Else
               'invalid password
               strError = "- Invalid username or password<br>" & vbNewLine
          End If
      End If

   End If
   If strError <> "" Then
      'output the error message
      'add extra HTML...
      strError = "<p><font color=""#FF0000"">The following errors occured:" & _
          "</font><br>" & vbNewLine & strError
   End If
   'display message in URL.. (ie thank you for registering)
   If Request.QueryString("msg") <> "" And strError = "" Then
      strError = "<p>" & Request.QueryString("msg") & "</p>"
   End If
End If

Function fixQuotes(strData)
  fixQuotes = Replace(strData,"'","''")
End Function

're-set session data (ie log out)
Session("loggedin")="" Session("userid")="" %> <html> <head> <title>Members Area Login</title> </head> <body> <h1>Members Area Login</h1> <p>Please enter your username and password to access the Members Area.</p> <%=strError%> <form action="login.asp" method="POST"> <input type="hidden" name="action" value="login"> <table border="0"> <tr>   <td><b>Username</b></td>   <td><input type="text" maxlength=20 name="username" value="<%=Server.HTMLEncode(Request.Form("username"))%>"></td> </tr> <tr>   <td><b>Password</b></td>   <td><input type="password" maxlength=20 name="password" value="<%=Server.HTMLEncode(Request.Form("password"))%>"></td> </tr> <tr>   <td> </td>   <td><input type="submit" value="Login"></td> </tr> </table> </form> </body> </html>

A large proportion of this code is almost identical to that of register.asp. The code first checks to see if the form has been submitted. If it has, it uses the same validation technique as before to see if a username and password has been specified. If it hasn't it displays an error message. If it has, then it checks the username/password combination by querying the database for that username.

If objRS.EOF Then the username hasn't been found; display error message. Otherwise, we check the password returned from the database, and compare it to the one the user has just entered. Once again, if they are incorrect, we tell the user that.

If the username/password combination is correct, we set the loggedin value of our session data to 1, and also save the user id. These session data variables are available outside login.asp, so our members pages can check if we are logged in or not. Therefore, once setting this data, we simply redirect to default.asp ; the members home page (we are assuming that you have a seperate /members/ directory).

You might also like...

Comments

About the author

James Crowley

James Crowley United Kingdom

James first started this website when learning Visual Basic back in 1999 whilst studying his GCSEs. The site grew steadily over the years while being run as a hobby - to a regular monthly audien...

Interested in writing for us? Find out more.

Contribute

Why not write for us? Or you could submit an event or a user group in your area. Alternatively just tell us what you think!

Our tools

We've got automatic conversion tools to convert C# to VB.NET, VB.NET to C#. Also you can compress javascript and compress css and generate sql connection strings.

“Brevity is the soul of wit” - Shakespeare