I am not sure this is allowed.

Let me explain. The user logs in. The userName is name of page. So I don’t want other users to access other user’s page. So I am trying to use a session to validate the user so they can only access there on page

Am I way off?



<%
If Session("userGood") = ("userName") Then
Response.Redirect"../default.asp"
End if
%>



<p>Page for&nbsp; - <%=session("userName")%></p>
<p>&nbsp;</p>
<p>&lt;&lt; Back to main menu.</p>

Huh? The username is the file name of the ASP page?

Like... johnsmith.asp?

In that case... yeah, I guess use request.servervariables("SCRIPT_NAME") to get the filename of the page, drop the username into a session variable on successful login, and then compare the two at the top of the users page. Seems an odd way of doing it though. Maybe I'm misunderstanding.

No you are right. It's me who is v/confused. :confused:

I am not sure the best way to do this I was thinking that I could use sessions to validate the user.


I have a password protect area of my website. I have a few users that I managed via admin page.

I need to let them have access to some pages that only they can access when they login


Maybe you could point me in a clearer direction?

Mike

Well... how are you storing user details? In a database?

Yes via and access DB.

Ok, well... have a look at this. It's rough and basic (and untested) but it should manage session-based user management with a database backend:

blnLoggedIn = false
loggedInUsername = session("username")

if loggedInUsername = "" then

' Not logged in. But they might have just submitted the login form. So:

loginUsername = request.form("username")
loginPassword = request.form("password")

if loginUsername <> "" and loginPassword <> "" then

' They did just submit the form. Lets see if they're in the database

' DO NOT USE THIS IN PRODUCTION CODE. IT IS VUNERABLE TO SQL INJECTION ATTACK
sql = "SELECT FROM tblUsers WHERE username = '" & loginUsername & "' AND password = '" & loginPassword & "'
set objLoginRecordset = myDatabaseConnection.execute sSQL

if not objLoginRecordset.BOF and not objLoginRecordset.EOF then

' we found a matching user. Log them in:

session("username") = loginUsername
blLoggedIn = true

else

' they tried to login but failed.

response.write("Nope, never heard of you. Try again?")

end if

else
' they're already logged in, we have their username
blnLoggedIn = true

end if

if not blnLoggedIn then

' they haven't even tried to log in yet. Write them a login form that submits to itself:

response.write("<form action="""" method=""post"">")
response.write("Username: <input type=""text"" name=""username""/>")
response.write("Password: <input type=""text"" name=""password""/>")
response.write("<input type=""submit""/>")

'stop writing anything else
response.end

end if

' if someone gets to here, they're logged in


If you saved that chunk of code as, say, userlogin.asp and included it at the top of pages you wanted protected, then in theory you've got a simple and portable method of validating user access. Like I say, I've not tried it directly but hopefully the logic is intact :)

THanks