Using IISPassword and a database for a secure members area

I've often used IISPassword to secure CMS admin areas on my client's websites and wanted to try and use it for a secure members area in conjunction with a database so that each user would be served their own personal pages once they'd logged in.

Although I could create a seperate account for each user, I needed to find a way of retrieving the logged in user's username and password so that I could then use them to query the database and pull the records for the logged in user.

I found that the The logged in user's username and password are contained in the server variable: "HTTP_AUTHORIZATION"

To retreive the username and password of the logged in user, grab the server variable to a string (strLogin):

Dim strLogin
strLogin = Request.ServerVariables("HTTP_AUTHORIZATION")

Replace "Basic " with "" in strLogin:

strLogin = replace(strLogin,"Basic ","")

Base64Decode strLogin:

strLogin = Base64Decode(strLogin)

To do this you'll need a Base64Decode function:

Function Base64Decode(base64String)
Const Base64CodeBase = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
Dim dataLength, Out, groupBegin
dataLength = Len(base64String)
Out = ""
If dataLength Mod 4 <> 0 Then
Err.Raise 1, "Base64Decode", "Bad Base64 string."
Exit function
End if
For groupBegin = 1 To dataLength Step 4
Dim numDataBytes, CharCounter, thisChar, thisData, groupData
numDataBytes = 3
groupData = 0
For CharCounter = 0 To 3
thisChar = Mid(base64String, groupBegin + CharCounter, 1)
If thisChar = "=" Then
numDataBytes = numDataBytes - 1
thisData = 0
Else
thisData = InStr(Base64CodeBase, thisChar) - 1
End if
If thisData=-1 Then
Err.Raise 2, "Base64Decode", "Bad character In Base64 string."
Exit function
End if
groupData = 64 * groupData + thisData
Next
Dim OneChar
For CharCounter = 1 To numDataBytes
Select Case CharCounter
Case 1: OneChar = groupData \ 65536
Case 2: OneChar = (groupData And 65535) \ 256
Case 3: OneChar = (groupData And 255)
End Select
Out = Out & Chr(OneChar)
Next
Next
Base64Decode = Out
End function

Split strLogin on the ":"

strLogin = split(strLogin,":")

Assign the array substrings to variables for use in the database access SQL:

Dim strUNM, strPWD
strUNM = strLogin(0)
strPWD = strLogin(1)

That's it!

I can now use IISPassword to secure a folder and use the same login to populate the logged in user's pages with their own details from the database.

This makes using IISPassword an ideal way of protecting a logged-in only members area without the hassles of session time-outs.

Comments

  • #1
  • Posted by: Mark Voss
  • On: 19/09/2006 20:15:30

If all your usernames are unique, retrieving just the logged in user's username is usually enough to build your SQL and grab a recordset containing the user's details from your database.  

You can do this easily using Request.ServerVariables("HTTP_IISPWD_USER")  

No additional string manipulation or decoding is necessary.

Leave a comment

Please complete the form below to submit a comment on this article. A valid email address is required to submit a comment though it will not be displayed on the site.