Password Protecting ASP Pages

This method of password protecting your ASP pages is very simple and effective…

For this example, we wanted to build in flexibility. Flexibility to provide your login form on any page and also to create the session objects when new users create an account and then to direct them to the protected page they were requesting. With some minor modifications, you can extend this example in many ways.

We have created the following pages:

> logon.asp
> logonvalidation.asp
> protected.asp
> register.asp
> registerentry.asp

In addition, we have created a database with one table called “Customers” and a database connection in FrontPage called “store”. The Customers table contains two fields: username and password.

We are going to explain all the pages here and then let you view the example.


This page is a simple form that contains two text input fields: username and password. The form submits to logonvalidation.asp. Here is an example:

Username (set the form field name to username)
Password (set the form field name to password)
Set the form properties to “Send to other” and then click Options. In the Action box type logonvalidation.asp.

This form can be placed on any page in your web but you should have a page with only this form on it in case your user tries to go to a protected page without first logging in. The code in the protected page will send the user to the logon.asp page. Once logged in, the user will be sent to the originally requested page.


This page checks the user information against the database, creates the users session objects and then directs the logged in user to the originally requested page if there was one. In case there was not, we have provided a list of links to our protected pages they can click on (this will be the case if you provide a login form on your home page and the user simply logs in prior to trying to visit any of your protected pages).

Here is the code that does the work. Paste this into HTML view above thetag and before any other code:

‘First we create a connection object
Set Conn = Server.CreateObject(“ADODB.Connection”)

‘Next, we open the connection object by calling the connection string
‘that FrontPage created and stored in the global.asa file when the “store”
‘connection was created
Conn.Open Application(“store_ConnectionString”)

‘Then we create a record set object and a SQL statement
Set RS = Conn.Execute (“SELECT * From Customers WHERE username = ‘” & Request.Form(“username”) & “‘ AND password = ‘” & Request.Form(“password”) & “‘”)

‘Loop through the database to check for the users information
Do until RS.EOF
Pass = RS(“Password”)
Name = RS(“username”)

‘Close the recordset and database connection

‘If the password given is not in the database then we don’t do anything.
‘Otherwise, we create the session objects
IF pass = “” Then
Message = “The Password you entered is either wrong or not found in our database. Please press the BACK button and try again.”
Session(“Password”) = Pass
Session(“username”) = Name

‘Now we will check to see it there is a session object for an original URL.
‘This would have been created (as you will see later) if the user first tried
‘to visit a protected page. If so, we send them there. If not, we stay here.
IF Session(“Ori_URL”) = “” Then ‘do nothing
End IF
End IF

Make sure you also consider website SSL protection.  See –,, and

Now, add your links for your password protected pages to this page. Remember, if the user first requested a password protected page, they will automatically be sent there and will never see this page.

In the above code, if the user does not enter a password, they will still see the list of links. In order to show them there was an error, we added a message in the above code after IF pass = . Now, add the following in to the body of your HTML to display the appropriate message:


You have been logged in as: Please select a page to go to:

> protected.asp



If the Password is blank or not found in the database then we tell the user to try again. Otherwise we show them the list of links or send them to the page they originally requested. If the password is blank or not found in the database then we never create the session object.

This is an include file that you will use for the top of each page that you want to password protect. The easiest way to create this is in Notepad. Once you import this into FrontPage, change the name of the page from passprotect.txt to Here is the code:

‘First we check to see if the user is logged in
IF Session(“Password”) = “” THEN

‘If their session is empty then we create a session for the current URL they were requesting
Session(“ORI_URL”) = Request.ServerVariables(“Path_Info”)

‘Then we redirect them to the login page
End IF

To add protection to your ASP pages, place the following line of code at the top of each page before any other HTML tags:


In order to protect a page in the fashion we are, it has to be an ASP page. To protect the page, simply copy the code mentioned above at the VERY TOP of the page in HTML view. Here is the code again:


This page is provided to allow new users to register a user name and password. This is a simple form that submits to registerentry.asp for processing. Create the form exactly like you did the login form. Set the form properties to “Send to Other”, click the Options button and in the Actionbox type: registryentry.asp


This page will accept the register information, write it to the database, create the session objects and also send the newly registered user to the originally requested page if there was one.

First, we will create the session objects. Place the following code in the head of the document just below the firsttag:

Session(“Username”) = Request.Form(“UserName”)
Session(“Password”) = Request.Form(“Password”)

Second, we will use the database results wizard to write the data to the database:

Click Insert > Database > Results.
Select the store connection and click Next
Select Custom Query and click the Edit button
Enter this statement: INSERT INTO Customers (username, password) VALUES (‘::username::’, ‘::password::’)
Click OK and go to step three.
Click More Options and remove the message
Click OK and then Next to go on to step four
Select the List formatting option and uncheck the boxes
Go on to step five where you will uncheck the Add Search box
Click Finish

You should now have a database results region on your page with only two yellow bars.

Finally, at the bottom of the page in HTML view, above thetag, we will insert the following code:

If Session(“Ori_URL”) = “” Then
End If

You may also want to provide links to your protected pages here as well in case the user did not get here by selecting a protected page initially.

Here are some final bits of information:

A session object is a method of maintaining state which is the act of preserving information from one page to another. Session objects are only maintained for the length of time that the user has their web browser open or when the server times the session out (which ever comes first). By default, IIS times inactive sessions out after 20 minutes. Session objects are held in the servers memory.

To test the application we built, you can start on any one of these pages. If you wish to come back and start again from a different page, click this button to end your current session and try the other page:


Leave a Reply

Your email address will not be published.