Security

Previous Topic Next Topic

Extending IIS 5.0 Security with ASP Code

You can also create custom security schemes by using ASP code. For example, you could programmatically deny access to a page with the following code used as part of a POST. In this example, the original page prompted the user to enter a user name and password in a FORM:

<%   
   Dim strName, strPassword
   strName = Request.Form("Name")
   strPassword = Request.Form("Password")
   'Do a database lookup and set fAllowAccess based on the query.
   If fAllowAccess = False Then
      Response.AddHeader("401 – Access Denied")
   End If
%>

The assumption in this case is that there is a database with user names and passwords, which are both used as the basis to perform the security check.

Please note that this mechanism is very insecure. First, you must POST the data over a secure channel by using SSL; otherwise, intruders might be able to gather the user name and password as it goes in plaintext from the browser to the Web server. Also, if this page is circumvented, no access check can be performed whatsoever.


© 1997-1999 Microsoft Corporation. All rights reserved.