Free! Building a website with Restricted Access: Part 1

In this tutorial we will be creating a site, which has several user levels.

We will be using the standard behaviours of Dreamweaver MX 02/04 and we will also add some new ones.

Part one of the tutorial will be covering the Set-up of the site, creating an Access database and providing login access to our site, along with a registration facility.

We will be creating a Login page using the standard Dreamweaver behaviour, and then altering the code to allow us to use a single login page for both Administration and Standard users.

Create Additional Sessions from the Login

So we’ve got the login page and it works with two different types of users.

Now we are going to look at Sessions for passing the users details throughout the site.

The macromedia login behaviour creates two Sessions, MM_Username is the user’s Username, and the second is MM_Authorization, which contains the details in the UserAccessLevel column.

The Session MM_Username enables you to filter a recordset on pages throughout the website from the website_user table so you can show say the Users Forename and Surname, and make the site personal to each user.

Now whilst the Session MM_Username enables us to filter a users details, it does mean that if the user wishes to change their username or someone manages to choose the same username as another user, you can in the extreme circumstances have two people having access to each others details

To prevent this from happening, the ID from the users details in the website_users table, is a more secure way to achieve this, but it is not available to us by default.

The following chapter of the tutorial will show you how to grab the User’s AccountID, and place it in a Session to make it available throughout the users visit to the site.

We need to open the login.asp.

Locate

  MM_rsUser.Source = "SELECT UserName, UserPassword"

You want to add the AccountID column, so it looks as below

 MM_rsUser.Source = "SELECT UserName, UserPassword, AccountID"

This selects the AccountID from the website_users table

Then locate the following

  If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then
    ‘ username and password match - this is a valid user
    Session("MM_Username") = MM_valUsername
    If (MM_fldUserAuthorization <> ") Then
      Session("MM_UserAuthorization") = CStr(MM_rsUser.Fields.Item(MM_fldUserAuthorization).Value)
    Else
      Session("MM_UserAuthorization") = "
    End If

You then want to add in a new line

Session("MM_UserID") = (MM_rsUser.Fields.Item("AccountID").Value)

So the code looks like

  If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then
    ‘ username and password match - this is a valid user
    Session("MM_Username") = MM_valUsername
    Session("MM_UserID") = (MM_rsUser.Fields.Item("AccountID").Value)
    If (MM_fldUserAuthorization <> ") Then
      Session("MM_UserAuthorization") = CStr(MM_rsUser.Fields.Item(MM_fldUserAuthorization).Value)
    Else
      Session("MM_UserAuthorization") = "
    End If

This sets the Session MM_UserID from our column AccountID in the table website_users.

You can then on every page following the login, display the User’s AccountID, in the Session MM_UserID, using <%=Session("MM_UserID")%>

To check this is working, open your welcome.asp page and add a new paragraph to show the UserID on this page.

UserID= {Session.MM_UserID}, you will need to change to the code view to enter the MM_UserID as <%=Session("MM_UserID")%>