There is a simple alternative to NT authenication is to cheat. Here's a "no NT involved" version of security.inc; just put
<!--#INCLUDE FILE="security.inc"-->
at the top of each ASP page you want to protect, and put this in
security.inc:
<%
'does the session know the user?
UserID=Session("UserID")
Rejected=False
If IsEmpty(UserID) Or IsNull(UserID) Or UserID="" Then
Attempted=False
'Figure out who we are, for later
URL=Request.ServerVariables("QUERY_STRING")
If IsEmpty(URL) Or URL="" Then
URL="" ' just in case
Else
URL="?" & URL
End If
URL=Request.ServerVariables("SCRIPT_NAME") & URL
'check for POSTed authentication information
UserID=Request.Form("UserID")
UserPWD=Request.Form("UserPWD")
If IsEmpty(UserID) Or IsNull(UserID) Or UserID="" Then
Rejected=True
Else
' insert your own checking here -- this is deliberately lame
If UserID="Foo" AND UserPWD="Foo" Then
'wahoo!
'set the session variable
Session("UserID")=UserID
Rejected=False
Else
Attempted=True
Rejected=True
End If
End If
End If
If Rejected Then
If Attempted Then
Title="Authentication Failure"
Else
Title="Please Authenticate"
End If
%>
<!--#INCLUDE FILE="authentication_form.htm"-->
<%
Response.End 'stop processing before it gets back to your page
End If
' ... otherwise, on with your normal page.
%>
The authentication page (authentication_form.htm) could look like this:
You could just as easily paste this HTML in where the INCLUDE is, but it makes it a little harder to edit using FrontPage. Note that anyone trying to hit authentication_form.htm is going to find it a little...
well, useless. I'll leave it as an exercise to the reader how to get around this.
How does security.inc work?
If the user has authenticated already, security.inc notices that the UserID session variable is set and passes control back to your page. If they haven't, it sends them a form which asks for their username and password. When they submit that information, security.inc checks it and
either gives them the form again or passes control back to your page.
The extra code is there to tweak the form if the user failed
authentication (as opposed to simply not having authenticated yet), and to preserve any query information in the URL.
Note that if the user doesn't accept the ASP cookie (or is using a non-cookie-aware browser), the session variable won't be preserved and they'll be continuously asked to re-authenticate. You should modify the authentication page so that it warns users of this.
This 15 Seconds' issue contains source code and step by step instructions for creating a chat session using Active Server pages, HTML and a standard web browser. Also demonstrated is writing and reading of a file with an Active Server page. [Read This Article][Top]
