Free! Building a website with Restricted Access: Part 1

In this tutorial we will be creating a site, which has several user levels.

We will be using the standard behaviours of Dreamweaver MX 02/04 and we will also add some new ones.

Part one of the tutorial will be covering the Set-up of the site, creating an Access database and providing login access to our site, along with a registration facility.

We will be creating a Login page using the standard Dreamweaver behaviour, and then altering the code to allow us to use a single login page for both Administration and Standard users.

Create Additional Sessions from the Login

So we’ve got the login page and it works with two different types of users.

Now we are going to look at Sessions for passing the users details throughout the site.

The macromedia login behaviour creates two Sessions, MM_Username is the user’s Username, and the second is MM_Authorization, which contains the details in the UserAccessLevel column.

The Session MM_Username enables you to filter a recordset on pages throughout the website from the website_user table so you can show say the Users Forename and Surname, and make the site personal to each user.

Now whilst the Session MM_Username enables us to filter a users details, it does mean that if the user wishes to change their username or someone manages to choose the same username as another user, you can in the extreme circumstances have two people having access to each others details

To prevent this from happening, the ID from the users details in the website_users table, is a more secure way to achieve this, but it is not available to us by default.

The following chapter of the tutorial will show you how to grab the User’s AccountID, and place it in a Session to make it available throughout the users visit to the site.

We need to open the login.asp.

Locate

  MM_rsUser.Source = "SELECT UserName, UserPassword"

You want to add the AccountID column, so it looks as below

 MM_rsUser.Source = "SELECT UserName, UserPassword, AccountID"

This selects the AccountID from the website_users table

Then locate the following

  If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then
    ‘ username and password match - this is a valid user
    Session("MM_Username") = MM_valUsername
    If (MM_fldUserAuthorization <> ") Then
      Session("MM_UserAuthorization") = CStr(MM_rsUser.Fields.Item(MM_fldUserAuthorization).Value)
    Else
      Session("MM_UserAuthorization") = "
    End If

You then want to add in a new line

Session("MM_UserID") = (MM_rsUser.Fields.Item("AccountID").Value)

So the code looks like

  If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then
    ‘ username and password match - this is a valid user
    Session("MM_Username") = MM_valUsername
    Session("MM_UserID") = (MM_rsUser.Fields.Item("AccountID").Value)
    If (MM_fldUserAuthorization <> ") Then
      Session("MM_UserAuthorization") = CStr(MM_rsUser.Fields.Item(MM_fldUserAuthorization).Value)
    Else
      Session("MM_UserAuthorization") = "
    End If

This sets the Session MM_UserID from our column AccountID in the table website_users.

You can then on every page following the login, display the User’s AccountID, in the Session MM_UserID, using <%=Session("MM_UserID")%>

To check this is working, open your welcome.asp page and add a new paragraph to show the UserID on this page.

UserID= {Session.MM_UserID}, you will need to change to the code view to enter the MM_UserID as <%=Session("MM_UserID")%>

You can add as many Session as your wish, simply by repeating this process.

Firstly add the column from the table to the Select statement, and then set the Session name and the column as its value.

However, don’t go overboard, there are a limit to how many sessions can be healthily supported by a site, and really as you can use the MM_UserID to filter a users record to find their full details, there is little extra you would want, by default, to carry in a Session and not just call out of a recordset.


Carl Grint

Carl Grint" Since graduating from university, I have worked with Charities and the Public sector, with my longest time being 3 years with the NHS until returning to freelance in 2003.

I would like to think my diverse experience of working for both the Public and Private sector gives me a good all rounding which enables me to approach projects with a unique perspective and enables me to bring new thoughts and initiatives to my work.

I have always enjoyed passing on the lessons I have learned so other developers can bypass the 'working out' time I had to go through, and writing my first two articles for DMXzone has given me a chance to pass on what I think are some good ways to improve on the standard Authentication behaviours Macromedia supply with Dreamweaver."

See All Postings From Carl Grint >>