Need help with ASP script.

[Bobby]

Hello everyone I have a question. The school I am working for is in
the beginning process of having a webpage that will direct students to
download there homework and be able to view there info like test
scores and etc(the homework and info page will reside on our
webservers at the school on the local intranet network). Now what I
need is a way for the students to go to a login page and when logging
in will be automatically directed to there own personal index.htm page
that will reside in a folder containing all there information and
homework. I had downloaded a free ASP script which basically uses a
Access DB to authorize the username and password and gives 2 diffrent
asp result pages either "Granted" or "No Access". Now the only thing I
can think of is to put a script in each students virtual directory and
when getting to there index file have this script run and the results
will let them in or give them no access but I think that would be way
to much. So what do you guys recommend and is there any links you know
that I can get some info from?


Here is the code from the free code I got
-----------------------------------------------------------------------
<%
'Dimension variables
Dim adoCon 'Database Connection Variable
Dim strCon 'Holds the Database driver and the path and name of the
database
Dim rsCheckUser 'Database Recordset Variable
Dim strAccessDB 'Holds the Access Database Name
Dim strSQL 'Database query sring
Dim strUserName 'Holds the user name

'Initalise the strUserName variable
strUserName = Request.Form("txtUserName")

'Check the database to see if user exsits and read in there password
'Initialise the strAccessDB variable with the name of the Access
Database
strAccessDB = "users"

'Create a connection odject
Set adoCon = Server.CreateObject("ADODB.Connection")

'Database connection info and driver
strCon = "DRIVER={Microsoft Access Driver (*.mdb)};uid=;pwd=letmein;
DBQ=" & Server.MapPath(strAccessDB)

'Set an active connection to the Connection object
adoCon.Open strCon

'Create a recordset object
Set rsCheckUser = Server.CreateObject("ADODB.Recordset")

'Initalise the strSQL variable with an SQL statement to query the
database
strSQL = "SELECT tblUsers.Password FROM tblUsers WHERE tblUsers.UserID
='" & strUserName & "'"

'Query the database
rsCheckUser.Open strSQL, strCon

'If the recordset finds a record for the username entered then read in
the password for the user
If NOT rsCheckUser.EOF Then

'Read in the password for the user from the database
If (Request.Form("txtUserPass")) = rsCheckUser("Password") Then

'If the password is correct then set the session variable to True
Session("blnIsUserGood") = True

'Close Objects before redirecting
Set adoCon = Nothing
Set strCon = Nothing
Set rsCheckUser = Nothing

'Redirect to the authorised user page and send the users name
Response.Redirect"authorised_user_page.asp?name=" & strUserName
End If
End If

'Close Objects
Set adoCon = Nothing
Set strCon = Nothing
Set rsCheckUser = Nothing

'If the script is still running then the user must not be authorised
Session("blnIsUserGood") = False

'Redirect to the unautorised user page
Response.Redirect"unauthorised_user_page.htm"
%>

 

[Mark Schupp]

First a nitpick, "there" is used to indicate a location. When talking about
something belonging to a person you use "their".

Actually the approach you mention does not go far enough. Every single page
that you want to protect must include code to verify that the student is
logged on.

1. create a logon page that is shared by everyone
2. when a student logs on set a session variable or temporary cookie
indicating that they are logged on. For example: Session("studentid") =
<whatever student id is in the database>
3. redirect the logged on student to their home page. If all of the student
data is in a database then this page can be built dynamically using a single
ASP page.
4. on all pages that require a student to be logged on (including the home
page) check that the session variable or cookie exists. If it does not then
re-direct them to the login page.

If Len(Session("studentid")) = 0 Then
response.redirect "login.asp"
End If

 

[Jeff Cochran]

Hello everyone I have a question. The school I am working for is in
the beginning process of having a webpage that will direct students to
download there homework and be able to view there info like test
scores and etc(the homework and info page will reside on our
webservers at the school on the local intranet network). Now what I
need is a way for the students to go to a login page and when logging
in will be automatically directed to there own personal index.htm page
that will reside in a folder containing all there information and
homework. I had downloaded a free ASP script which basically uses a
Access DB to authorize the username and password and gives 2 diffrent
asp result pages either "Granted" or "No Access". Now the only thing I
can think of is to put a script in each students virtual directory and
when getting to there index file have this script run and the results
will let them in or give them no access but I think that would be way
to much. So what do you guys recommend and is there any links you know
that I can get some info from?

1) There are already commercial apps written to do these things, or
at worst, portal apps available free.

2) Providing this type of access in a school environment without a
good handle on the security aspect is foolhardy.

3) If you're asking this question as you've asked it, you don't meet
the criteria for #2

Use Windows accounts and Windows Integrated security, redirect and
allow access based on the user ID, using
Request.ServerVariables("LOGON_USER").

Jeff