User Guide
What you have here as an example is a page with the security pre-configured so all you need to do is browse to it,
so assuming we try that with any luck we should get a pop-up asking for a username and password. For the moment
lets try
user and
userpass as the username and password respectively.
By now you should be seeing the sample page, my apologies for it being so dull but it's only there to show you
how this can work. Now lets close the browser and browse the file again, this time just try a few random users
and passwords, or even
guest and
guestpass as the username and password respectively. After a few
attempts your browser gives up all hope for you and dumps you at the custom 401 error page.
Now one last try - enter
admin and
adminpass as the username and password respectively, and with any
luck you should find yourself able to view the page again.
That is how the average user sees it work, in the sample users file there were three entries
guest,
user and
admin each of whom have a better access level than the last. For my example the guest user
was not authorised to view that page so any attempt to view it failed even if a valid login was provided.
The access level for
demo.asp comes from the page itself, as you can see the first line simply includes the
authentication script while the second line calls the procedure which handles the authentication, the single
parameter it takes defines the basic access level a user must have to view this page, and since
guest had
level 0 it could not view the page.
<!-- #INCLUDE FILE="code.asp" -->
<% SecurePage 1 %>
If you felt like being creative you could change that parameter to 0 and try to login, you would find that all the
users were accepted since they all had access levels greater than 0, equally you could change it to 2 at which
point only admin could login and lastly if you really wanted to you could change it to 3 and since no user in the
sample file has that level of access nobody could log in!
I mentioned the users file many times but so far I have no expanded what it actually is and contains, so now is as
good as any a time to explain. It is just a simple text file containing simple delimited data, in this case
delimited by colons - the first part is the access level, the second is the username and the third is the password.
0:guest:guestpass
1:user:userpass
2:admin:adminpass
To add another user you simply need to add an extra entry into this file, choosing an access level, a username and
a password in the process, save the file and the user is added. Also if you want to you can go above the highest
access level used in my sample, not to mention add users with the same access level such as in this example -
one person has a low access level, four people have basic access, two people have advanced access and one person
has total access.
0:bob:lemon
1:jane:apple
1:sue:banana
1:jane:apple
1:christy:pear
2:robert:mango
2:simon:orange
2:euan:lime
3:admin:kldscp
While we are talking about the users file a very important thing to remember is that if possible you should keep it
and any other material which does not need to be directly accessed outside the webroot simply because this creates
another barrier to stop people from idly reading all the contents of your "hidden" files with just a
browser. If you do move the file you'll need to change the line which tells the script where to look for the file,
by default the line in question reads;
Server.MapPath("users.txt")