Active News 15 Seconds Weekly Newsletter • Complete Coverage • Site Updates • Upcoming Features More Free Newsletters Reference News Articles Code Samples Components Tools New Free Downloads Vendors FAQ Feedback Books Links DL Archives Community Messageboard List Servers Mailing List WebHosts Consultants Tech Jobs 15 Seconds Home Site Map Press Legal Privacy Policy internet.commerce internet.com IT Developer Internet News Small Business Personal Technology International Search internet.com Advertise Corporate Info Newsletters Tech Jobs E-mail Offers Compare products, prices, and stores at Hardware Central!	There is a simple alternative to NT authenication is to cheat. Here's a "no NT involved" version of security.inc; just put <!--#INCLUDE FILE="security.inc"--> at the top of each ASP page you want to protect, and put this in security.inc: <% 'does the session know the user? UserID=Session("UserID") Rejected=False If IsEmpty(UserID) Or IsNull(UserID) Or UserID="" Then Attempted=False 'Figure out who we are, for later URL=Request.ServerVariables("QUERY_STRING") If IsEmpty(URL) Or URL="" Then URL="" ' just in case Else URL="?" & URL End If URL=Request.ServerVariables("SCRIPT_NAME") & URL 'check for POSTed authentication information UserID=Request.Form("UserID") UserPWD=Request.Form("UserPWD") If IsEmpty(UserID) Or IsNull(UserID) Or UserID="" Then Rejected=True Else ' insert your own checking here -- this is deliberately lame If UserID="Foo" AND UserPWD="Foo" Then 'wahoo! 'set the session variable Session("UserID")=UserID Rejected=False Else Attempted=True Rejected=True End If End If End If If Rejected Then If Attempted Then Title="Authentication Failure" Else Title="Please Authenticate" End If %> <!--#INCLUDE FILE="authentication_form.htm"--> <% Response.End 'stop processing before it gets back to your page End If ' ... otherwise, on with your normal page. %> The authentication page (authentication_form.htm) could look like this: <html><head><title><%=Title%></title></head> <h1><%=Title%></h1> <form action="<%=URL%>" method="POST"> Username: <input type="text" name="UserID" size="20"><br> Password: <input type="password" name="UserPWD" size="20"><br> <input type="submit"> </form> </html> You could just as easily paste this HTML in where the INCLUDE is, but it makes it a little harder to edit using FrontPage. Note that anyone trying to hit authentication_form.htm is going to find it a little... well, useless. I'll leave it as an exercise to the reader how to get around this. How does security.inc work? If the user has authenticated already, security.inc notices that the UserID session variable is set and passes control back to your page. If they haven't, it sends them a form which asks for their username and password. When they submit that information, security.inc checks it and either gives them the form again or passes control back to your page. The extra code is there to tweak the form if the user failed authentication (as opposed to simply not having authenticated yet), and to preserve any query information in the URL. Note that if the user doesn't accept the ASP cookie (or is using a non-cookie-aware browser), the session variable won't be preserved and they'll be continuously asked to re-authenticate. You should modify the authentication page so that it warns users of this. email this code sample to a colleague Related Articles Jan 24, 1997 - Simple ASP Chat This 15 Seconds' issue contains source code and step by step instructions for creating a chat session using Active Server pages, HTML and a standard web browser. Also demonstrated is writing and reading of a file with an Active Server page. [Read This Article]  [Top] Apr 6, 1997 - Creating a List Server with ASP This issue describes how to make a list server using Active Server, SQL Server, and Stephen Genusa's ASPMail Component. Included are source and instructions for adding the user to the list from a Active Server page, removing the user from the list via a Active Server page, and sending mail to the whole list. [Read This Article]  [Top] Apr 22, 1997 - Active Server Components with VS 5.0 A rewrite of part one of a four-part series on Active Server objects. A simple example of creating a Active Server Component in Visual Studio 5.0 using the Active Template Library 2.0. The example component retrieves the user's cookie, if not available issues a new 128-bit cookie. Included in the issue is the source code and step by step instructions. This issue has been rewritten to illustrate the use of Visual Studio 5.0 and ATL 2.0 in writing Active Server Components. [Read This Article]  [Top] Jul 31, 1997 - Creating a Category Site with ASP In this issue 15 Seconds implements a catalog site that is build with Active Server pages and SQL Server. Along with the implementation there is source code and a discussion of the advantages and disadvantages of creating a catalog site that gets its content from a database. Included are pages for displaying products, creating a menu page, category page, and running a search across a database. [Read This Article]  [Top] Sep 11, 1997 - The Last-Modified Header in ASP A complete discussion of the Last Modified header and the Expires header including the effect they have on Active Server page and various browsers. [Read This Article]  [Top] Nov 30, 1997 - Advanced Security Concepts This article is a reprint of chapter 19, by Nelson Howell , in a new book called 'Using Microsoft Internet Information Server 4' from Que Education & Training (ISBN 0789712636) due for publication in early March 1998. This chapter covers advanced security concepts. Including: how to secure content Enforce security permissions for sensitive and private content and configuring user authentication understand and use authentication methods for securing content. [Read This Article]  [Top] Nov 4, 1998 - ASP Authentication Using IP Address This article by Alain Trottier explains how to control web application access by validating the user’s login and password against a database using Active Server Pages. Once validated the IP Address of the user is ensure that the user has access to the database. [Read This Article]  [Top] Jan 14, 1999 - Easy Application State Securely This article by Dmitry Khanine shows how to make your web site 100-percent secure when maintain your application state. [Read This Article]  [Top] Feb 11, 1999 - Programming a Visual Basic Component to Change NLTM Passwords The application we will develop in this article is a browser-based Windows NT domain account password-changing utility that runs as a component in an MTS package on IIS and is accessible via the Internet. While IIS 4.0 provides native account password-changing functionality through the use of .htr files and an Internet Server API (ISAPI) extension, it does not provide for easy modification and does not run as an MTS component by default. The application we will develop demonstrates an extensible framework that could be easily enhanced to provide additional account-maintenance functionality specific to your individual requirements. [Read This Article]  [Top] Dec 17, 1999 - How to Send Secure Mail in ASP-Based E-Commerce Applications Peter Persits' article explains how Secure Multipurpose Internet Mail Extensions, or S/MIME, has come to rescue of e-commerce Web sites that need some order information to be contained in encrypted E-mail. Customers don't want to use automatic on-line credit card authorization, so order information instead is sent over an SSL-protected HTML form and credit card numbers are sent via encrypted E-mail for manual processing. [Read This Article]  [Top] Dec 16, 1999 - Crash Course in Cryptography Peter Persits' article "Crash Course in Cryptography" explains encryption so that you can grasp secure multipurpose Internet mail extensions, or S/MIME. [Read This Article]  [Top] Feb 17, 2000 - Protecting Passwords with a One-way Hash Function Peter Persits’ article shows that the path to a password-protected Web site involves using one-way hash functions. The hash-based password-protection method uses an encryption algorithm that does not require a key and produces an irreversibly encrypted cipher-text. Even if your site’s password database is compromised, it’s still tough for an intruder to recover the original passwords because they are stored by their one-way encrypted values. Persits also demonstrates a third-party component that is necessary to compute the one-way hash function of a string in the ASP environment. [Read This Article]  [Top] Apr 13, 2000 - Web Applications: Securing Access to Your Pages Edward Mason examines how to secure access to your Web pages, specifically pages that are intended to be displayed in a set order. He offers sample code from one of his custom Web applications that includes a folder structure and an ASP file structure. The article also addresses bookmarking, special cases, adding or changing page links, and adding more process screens. [Read This Article]  [Top] Aug 16, 2000 - The Wonders of the File System Object The file system object (FSO) is a wonderful tool that few web developers know about. You can do nearly anything with the FSO, from making databases, to message boards, to content management. The FSO is an essential block in an ASP developer's foundation. We'll discuss the basic operations of the FSO here, along with some examples on creating a guestbook, and some more complex features. [Read This Article]  [Top] Dec 5, 2000 - Random Passwords Want to Create a random password and mail it to the person who tried to register at your site? Here is a quick and easy example of how to do this task. It is fairly straight forward. [Read This Article]  [Top] Jan 4, 2001 - JavaScript Protection With An ISAPI Filter This article by Itay Weinberger describes how to use an ISAPI filter to prevent unauthorized access to your JavaScript or VBScript files. [Read This Article]  [Top] Jan 22, 2001 - Eliminating Some Credit Card Risk for E-Business Creator of the SC Profanity Check ASP component explains how Webmasters can take a proactive approach to eliminating some online credit-card fraud. [Read This Article]  [Top] Jan 31, 2001 - Using MS Certificate Server To Create SSL Read what advice members of the 15Seconds Discussion list had to offer on using Microsoft's Certificate Server instead of a third-party SSL solution. [Read This Article]  [Top] May 2, 2001 - Storing Sensitive Data Securely Members of the 15Seconds discussion list provide some general ideas on how to secure credit-card numbers stored in SQL Server. [Read This Article]  [Top] Oct 30, 2001 - Protecting Your IIS Server and Web Application Internet viruses such as Code Red and Nimbda have brought down numerous IIS Web servers recently. Fortify and defend your system with this comprehensive strategy authored by 30-year industry veteran, Andrew Novick. [Read This Article]  [Top] Mar 5, 2002 - Using Forms Authentication in ASP.NET - Part 2 Creating custom authentication schemes just became easier. Jeff Gonzalez continues to explain Forms Authentication, this time using a custom XML file. [Read This Article]  [Top] Feb 20, 2002 - Using Forms Authentication in ASP.NET - Part 1 Creating custom authentication schemes just became easier. Jeff Gonzalez shows us how to use Forms Authentication in ASP.NET. [Read This Article]  [Top] May 14, 2002 - Complying with IT's Security Requirements for Web Applications The application is done. It's been tested, documented and is ready for deployment or sale. Finally, you can relax and start working on version 2. Well, not so fast ... [Read This Article]  [Top] Jul 15, 2002 - Securing SQL Server for Web Applications If your SQL Server is exposed to the Internet, then hackers are probing it. This article shows how to secure a SQL Server database that's being used with a Web application [Read This Article]  [Top] Aug 21, 2002 - Web Application Error Handling and Logging For ASP One of the most important aspects of an application is how well it responds to the user, and this includes response to errors. In this article, Adam Tuliper shares techniques for catching ASP errors and shows how to create a notification system that is sure to keep customers at bay. [Read This Article]  [Top] Dec 10, 2002 - Encrypting Cookie Data with ASP.NET You don't have to be a cryptography expert or spend lots of money on third-party components to secure sensitive data in .NET. In this article, Wayne Plourde shows just how easy it is to encrypt cookie data using encryption classes in the .NET System.Security.Cryptography namespace. [Read This Article]  [Top] Jan 15, 2003 - Exploring Machine.Config - User Security and More Christopher Spann offers a .NET configuration tip that should help ease system administrators' fears of security compromise and thus assuage growing developer demand for a .NET environment. [Read This Article]  [Top] Mar 10, 2003 - Platform Neutral and Transparent Encryption of Sensitive Customer Information Zhenlei Cai combines an open source C++ encryption library with SQL Server extended stored procedures to create a platform neutral, transparent encryption solution that resides at the database layer. [Read This Article]  [Top] Mar 12, 2002 - Web Services Security in The .NET Framework The proliferation of Web Services on the market and their universal acceptance on the Internet makes them more vulnerable to security threats. Therefore, we need to tighten security for our Web Services and pay attention to it. With ASP.NET, Microsoft has provided the necessary features for securing our Web Services and other Web resources. In this article, Mansoor Ahmed Siddiqui explains how to unleash the power of ASP.NET security. [Read This Article]  [Top] Jul 1, 2002 - Protecting Your Web Application Against Dangerous Requests Enrico Di Cesare provides a solution for hiding and securing querystring values that pass through a url. [Read This Article]  [Top] Jan 21, 2004 - Configuring .NET Code Access Security Code Access Security (CAS) is the .NET Framework security model that grants code permission to resources based on "evidence" pertaining to the encapsulating assembly. In this article, David Myers examines CAS and explains different configuration methods. [Read This Article]  [Top] Feb 2, 2004 - Fighting Spambots with .NET and AI Bill Gates, in a recent interview, predicted the end of spam by 2006. One of the methods he mentioned involved a challenge only a real live person could handle. Adnan Masood shows how to use AI and .NET to create a user verification scheme that incorporates similar concepts Gates alluded to. [Read This Article]  [Top] Feb 3, 2004 - Fighting Spambots with .NET and AI -- Cont'd [Read This Article]  [Top] Feb 4, 2004 - Fighting Spambots with .NET and AI -- Cont'd [Read This Article]  [Top] Feb 5, 2004 - Fighting Spambots with .NET and AI - Cont'd [Read This Article]  [Top] Feb 24, 2004 - How to Send Secure Mail in ASP-Based E-Commerce Applications - Part II Businesses that utilize encrypted e-mail may find Secure Multipurpose Internet Mail Extensions (S/MIME) to be somewhat restrictive. This article shows how to use security features in PDF as an alternative to S/MIME. [Read This Article]  [Top] Feb 25, 2004 - How to Send Secure Mail in ASP-Based E-Commerce Applications - Part II, Cont'd Businesses that utilize encrypted e-mail may find Secure Multipurpose Internet Mail Extensions (S/MIME) to be somewhat restrictive. This article shows how to use security features in PDF as an alternative to S/MIME. [Read This Article]  [Top] Feb 26, 2004 - How to Send Secure Mail in ASP-Based E-Commerce Applications - Part II, Cont'd Businesses that utilize encrypted e-mails may find Secure Multipurpose Internet Mail Extensions (S/MIME) to be somewhat restrictive. This article shows how to use security features in PDF as an alternative to S/MIME. [Read This Article]  [Top] Mar 10, 2004 - Intellectual Property Protection and Code Obfuscation Learn about the execution process of CLR-based programs and how to protect your applications from being easily disassembled back into source code. [Read This Article]  [Top] Mar 11, 2004 - Intellectual Property Protection and Code Obfuscation -- Cont'd Learn about the execution process of CLR-based programs and how to protect your applications from being easily disassembled back into source code. [Read This Article]  [Top] Mar 12, 2004 - Intellectual Property Protection and Code Obfuscation -- Cont'd Learn about the execution process of CLR-based programs and how to protect your applications from being easily disassembled back into source code. [Read This Article]  [Top] Mar 13, 2004 - Intellectual Property Protection and Code Obfuscation -- Cont'd Learn about the execution process of CLR-based programs and how to protect your applications from being easily disassembled back into source code. [Read This Article]  [Top] Mar 14, 2004 - Intellectual Property Protection and Code Obfuscation -- Cont'd Learn about the execution process of CLR-based programs and how to protect your applications from being easily disassembled back into source code. [Read This Article]  [Top] May 11, 2004 - SharePoint Security and .NET Impersonation When implementing custom components that require access to restricted resources, implicit impersonation must be used. Jay Nathan shows how to create a class that makes using .NET Impersonation a snap. [Read This Article]  [Top] Aug 11, 2000 - Servers-Side Validations on the Client Side Servers-side validations on the client side...isn't that an oxymoron? Maybe, but Pandurang Nayak shows us how to accomplish a type of remote scripting using a mix of Javascript and ASP. [Read This Article]  [Top] Dec 8, 2004 - Designing Role-Based Security Models for .NET In this article, Michele Leroux Bustamante discusses authentication, authorization and role-based security in .NET. Along the way, he provides some best practices for implementing role-based security in some typical .NET application scenarios including rich clients, Web applications, and Web services. [Read This Article]  [Top] Feb 3, 2005 - ASP.NET Mixed Mode Authentication In many web applications it is desirable for both intranet users and external parties to be able to seamlessly log onto the system. The problem this raises is that it is not easy to allow intranet users to log in via Windows integrated authentication while also allowing external parties to log in to the same application using standard forms authentication. This article will show you one way to achieve the best of both worlds when it comes to authentication. [Read This Article]  [Top] Related Books Working with Active Server Pages Understanding ActiveX and OLE: A Guide for Developers and Managers Professional Active Server Pages Professional Visual C++ 5.0 ActiveX/COM Control Programming Teach yourself Active Web Database Programming in 21 Days Related Knowledge Base Articles HOWTO: Disabling Cookies Sent by Active Server ... Q163010 - 1997.06.23 IIS Execution File Text Can Be Viewed in Client Q164059 - 1997.06.23 INF: How to Access SQL Server Within Active Ser... Q169377 - 1997.06.23 How To Use Response.Redirect in a Server Script Q159402 - 1997.06.23 How To Stop Users from Displaying a Frame Outsi... Q159977 - 1997.06.23
Support the Active Server Industry Search: Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia Jupitermedia Corporate Info Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy. Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers Solutions Whitepapers and eBooks Adobe Acrobat Connect Pro: Web Conferencing and eLearning Whitepapers Microsoft Article: Will Hyper-V Make VMware This Decade's Netscape? Avaya Article: Avaya AE Services Provide Rapid Telephony Integration with Facebook Intel Go Parallel Article: Getting Started with TBB on Windows Microsoft Article: 7.0, Microsoft's Lucky Version? Intel Go Parallel Article: Intel Threading Tools and OpenMP HP eBook: Storage Networking , Part 1 Avaya Article: Speech Sandbox: Application Simulation in Avaya Dialog Designer MORE WHITEPAPERS, EBOOKS, AND ARTICLES Webcasts HP Video: StorageWorks EVA4400 and Oracle HP Webcast: Storage Is Changing Fast - Be Ready or Be Left Behind MORE WEBCASTS, PODCASTS, AND VIDEOS Downloads and eKits 30-Day Trial: SPAMfighter Exchange Module Red Gate Download: SQL Toolbelt and free High-Performance SQL Code eBook Iron Speed Designer Application Generator MORE DOWNLOADS, EKITS, AND FREE TRIALS Tutorials and Demos Featured Algorithm: Intel Threading Building Blocks - parallel_reduce Silverlight 2 App and Walkthrough: Leverage Silverlight 2 with SQL Server and XML HP Demo: StorageWorks EVA4400 MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES