I have created a client login page using Dreamweaver and I have tweaked it a bit so that the user gets redirected to a page on an external site where their website is hosted. Here is the code I have used:

<%
' *** Validate request to log in to this site.
MM_LoginAction = Request.ServerVariables("URL")
If Request.QueryString<>"" Then MM_LoginAction = MM_LoginAction + "?" + Server.HTMLEncode(Request.QueryString)
MM_valUsername=CStr(Request.Form("username"))
If MM_valUsername <> "" Then
MM_fldUserAuthorization=""
MM_redirectLoginFailed="index.asp?deny=true"
MM_flag="ADODB.Recordset"
set MM_rsUser = Server.CreateObject(MM_flag)
MM_rsUser.ActiveConnection = MM_clients_STRING
MM_rsUser.Source = "SELECT username, password, website"
If MM_fldUserAuthorization <> "" Then MM_rsUser.Source = MM_rsUser.Source & "," & MM_fldUserAuthorization
MM_rsUser.Source = MM_rsUser.Source & " FROM users WHERE username='" & Replace(MM_valUsername,"'","''") &"' AND password='" & Replace(Request.Form("password"),"'","''") & "'"
MM_rsUser.CursorType = 0
MM_rsUser.CursorLocation = 2
MM_rsUser.LockType = 3
MM_rsUser.Open
If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then
' username and password match - this is a valid user
Session("MM_Username") = MM_valUsername
Session("svURL") = MM_rsUser.Fields.Item("website").Value
Session("pass") = MM_rsUser.Fields.Item("password").Value
If (MM_fldUserAuthorization <> "") Then
Session("MM_UserAuthorization") = CStr(MM_rsUser.Fields.Item(MM_fldUserAuthorization).Value)
Else
Session("MM_UserAuthorization") = ""
End If
if CStr(Request.QueryString("accessdenied")) <> "" And false Then
MM_redirectLoginSuccess = Request.QueryString("accessdenied")
End If
MM_rsUser.Close
Response.Redirect "http://www." & Session("svURL") & "/clientarea/index.asp?pw=" & Session("pass") & ""
End If
MM_rsUser.Close
Response.Redirect(MM_redirectLoginFailed)
End If
%>

<form name="form1" id="form1" method="POST" action="<%=MM_LoginAction%>">
<label for="username">Username:</label>
<input name="username" type="text" id="username" />
<label for="password">Password:</label>
<input name="password" type="password" id="password" />
<label>&nbsp;</label>
<input type="submit" name="Submit" value="Submit" id="submit" />
</form>

This takes the user off to a page such as http://www.website.co.uk/clientarea/index.asp?pw=password. This works fine, but I'm not sure if it's secure enough, I know the session can't be passed from website to website, but is there a better way of doing this? I want it so that nobody can just go straight to http://www.website.co.uk/clientarea and access the pages that way.

Thanks in advance.

Chris

Passing a non encoded password in the querystring is a terrible security risk in itself. Passing any parameter at all is easily spoofed. In fact it allows the user to bookmark the page and then never have to go back to log in.

Why do your users login to your page to then go to their page? Tell us more about what you are trying to accomplish exactly and maybe someone can come up with a workable solution for you.

I figured that would be a bad way to go!

I work for a web design company and this is for the client area of it, there is a button on our site that links off to the login page. The idea was for a user to log in to our site and then be taken to a secure area of their site were they can then view their site statistics and make changes to any self-maintained pages they have.

Thanks for your help.

I would use NTFS Security (http://support.microsoft.com/Default.aspx?scid=kb;en-us;325357)for this. The link will help you set it up.

Unfortunately we do not host our sites and use a third-party hosting company to do this.

Thanks

Does the client website have their own login system? I assume they have. If yes, then you can make a form in your site that submits to their authentication page.
<form name="clientForm" action="http://www.website.co.uk/clientarea/login.asp" method="post">
<label for="username">Username:</label>
<input name="username" type="text" id="username" />
<label for="password">Password:</label>
<input name="password" type="password" id="password" />
<label>&nbsp;</label>
<input type="submit" name="Submit" value="Submit" id="submit" />
</form>

I would like to keep the user database on our server as this is a large table with all the details about each of our clients.

So does that mean that the client websites don't have their own authentication? What if the client goes directly (which is very likely to happen) to their website? So your authentication is bypassed.

If all the client websites and the master website belong to the same domain, you can share cookies to set up single sign-on mechanism. The way mail.yahoo.com, photos.yahoo.com, groups.yahoo.com, xxx.yahoo.com do.

The client websites don't have authentication. I realise they can go directly to that area of the site and bookmark it, which makes it very unsecure. All the websites are on different domains, so cookies cannot be shared.

Is there anyway of blocking a page if it hasn't come from a particular site, ie, the user has to come from www.website.com, otherwise the page is not displayed??

You can check the referring URL by checking Request.ServerVariables("HTTP_REFERER"). But some proxies and firewalls disable it. So it is not reliable all the time.

I would do this.

Dim from, owner
from = Request.ServerVariables("HTTP_REFERER")
owner = Request.Cookies("user")
If Not owner = "Ok" Then
If from = "www.website.com" Then
Response.Cookies("user") = "Ok"
Else
Response.Redirect("www.someplace.com")
End If
End If


Edit: If your Clients site isn't asp then you would have to use javascript also what glenngv said about the Proxies, and firewalls. So there are some holes here.