I want to create an area where only registred users may enter. That is, if someone tries to go directly to "secret1.asp" or "secret2.htm" I want them to be re-directed to the "login.htm" page. I also want the users to be able to navigate between the two protected web pages (by using the two links) without having to login each time. When a user successfully logs on, "secret1.asp" should always be displayed.

The username and password will be checked against a database but I know how to achieve that already. The main problems are how to make sure that the only available route to the two protected pages is through "login.htm" and how to remember a user that navigates between the two protected pages. Is there, by the way, any difference whether the pages in the protected area are static or
dynamic? I guess I should use cookies here, I just don't know how (maybe there is another way too).

Hope you guys can help me out here. I would be really grateful.


//This is "login.htm"

Please enter your username and password:

<form name="form1" method="post" action="secret1.asp">

<p>Username: <Input name="text" type="text" id="text"> </p>
<p>Password: <Input name="pw" type="password" id="pw"> </p>

<p>Input name="submit" type="submit" value="Enter"> </p>
</form>


//This is the "secret1.asp" URL

Some ASP/DHTML code....

// Link to another protected URL
<a href="secret2.htm"> Go to the community page



//This is the "secret2.htm" URL

Some static HTML code....

// Link back to "secret1.asp"
<a href="secret1.asp"> Return to your starting page

Once the user logs on you could set a session variable.
You can then test for this session variable on the two pages
and if there is no session variable then they would be redirected.

User logs on, you validate that data against the DB, if there is a
match then set a session variable.

Session("User") = "Admin"

then at the top of your two pages you could do something like this.

If Session("User") = "Admin"
' then do nothing and allow access, users has Admin rights
else
response.redirect "Login.asp"
end if

Now if any user trys to go directly to this page, they will be redirected to the login page. Once you log in, the session("User") variable is set and then that user would have access.

This is a pretty simple approach, you can make if more complicated it you want but this pretty much sums up how it can work.

Hope this helps.

Your help looks like the recipe for my issue, which of course is great. However, I am interested in what you mean by saying that I can make it more complicated if I want to.
Does that mean there is a better or maybe more secure way of achieving the same effect?
How can it be done more complicated?

well im not exactly sure how you could make it more complicated but i guess in your DB you could have columns for different sections of the web page. So you might have this

User
Password
Quality
Engineering
Sales

where quality, engin, and sales are depts or what not.
You could assign a number for access levels, 1 is read, 2 is read/write, 3 is full admin.

Now when your user logs instead of setting 1 variable to say Session("User") = Admin you could set a couple of Session variables, 1 for each dept. Now when a user comes to the site you would again have some code at the top of the page to check security rights and based off of those you could, hide update/save buttons, only allow the user to read the data, or if its a admin, allow them access to say direct table data, etc. Beyond that im not sure, this is pretty much the way i pass up my intranet, but then again i am on a intranet ad not the internet were security is more important. I dont get hacked on my intranet where as someone might try to hack your pages on the internet. Actually im not even sure if that is more complicated, this sounds like my original post, lol.