From: "Kyle Volkers"
Subject: Adding log out feature for visitors
Newsgroups: microsoft.public.frontpage.extensions.windowsnt
Currently, our web site has password protected areas for certain
information. Our visitors log in with their unique username and password
and can see their specific information. The L and P information is NOT kept
in an ODBC source, if that matters. How can we support a log out feature in
our Front Page web site?
Currently, in order to protect their personal account info, they must close
down their browser in order to erase the saved username and password
information in the browser's "memory".
Any ideas would be helpful...(tia)
--
K Volkers
============================
From: "Dan Lockwood"
Subject: Re: Adding log out feature for visitors
Newsgroups: microsoft.public.frontpage.extensions.windowsnt
You may consider using ASP sessions. See the following article:
Secure Logins
By Ken Spencer
Many organizations build Web applications that require users to log on,
usually because they need to control access to sensitive information. But
while security needs may vary, the overall challenge is the same: how do you
force users to log on to your application appropriately?
The answer can take several forms. You might try to use built-in Windows NTŪ
security features. However, if you force everyone to log on using Windows NT
Password Authentication, then all the users accessing your site must be
Windows NT users. This might be a problem if 10,000 users who are not in the
Windows NT SAM database visit your site-that's a lot of user accounts to set
up and maintain. You might also try NTFS file security, but that requires
lots of manual tweaking of file security, defining Windows NT user accounts,
and so on, result-ing in many of the same problems.
I'm going to show you another approach, an approach that's similar to what
we used in the Registered Users area of our Web site at http://www.32x.com.
This area allows anyone who has attended one of 32X Corporation's seminars
to access and download the sample files provided. When the user selects the
Registered Users option, the resulting page requests the confirmation number
given to the user when they attended the seminar. The confirmation number is
looked up in a Microsoft Access database and, if the lookup is successful, a
custom page is created and returned to the browser.
The example I created for this article uses a SQL ServerT database to hold
user accounts that are defined explicitly for this application. The same
account may or may not exist in the Windows NT SAM database, but this
application does not check for a matching SAM entry. When a user tries to
access the sample site, the Login.asp page requests their user name and
password. When the user submits the page, CheckUser.asp looks up the user
name and password in the SQL Server database. If the user name and password
are found, the user is logged on and the groups the user belongs to are
retrieved. If the user is not logged in, then Login.asp displays again. The
home page each user sees depends on the group the user belongs to.
I will show you how to build this code for use in any application. I will
also point out some of the nuances of using the login approach and what you
may need to do to secure the app. Then I'll walk you through the process of
creating the database and stored procedures used to perform the data
retrieval.
{The rest of this article can be found in the MSDN Online Library. The
current URL is:
http://www.msdn.microsoft.com/isapi/msdnlib.idc?theURL=/library/periodic/period98/securelogin.htm
There is also a 10KB download that includes the script of the example. }
