Create a table to store login and encrypted salt in database, when someone enters a password, use standard encryption algo and see whether the string matches with what is there in database. It is pretty straight forward.

hi johnny.g,
There are several article's were available , make Googled and you can definately got some solution on it.
I found out two article based on it. Just visit the link.

http://www.daniweb.com/forums/thread6028.html

http://support.microsoft.com/default.aspx?scid=KB;EN-US;q301240&ID=KB;EN-US;q301240

Hope this will help you.
Thanks & Regards
Dilipv

Here's one simple example where you can receive, check and redirect user logins.
Change the DB table fields and so on to match your own data base.

<%
PW = Request.Form("pass") ' password from the loginform
UN = Request.Form("user") ' username from the loginform

SQL = "SELECT * FROM <user_table> WHERE username = '"& UN &"' AND passwd ='"& PW &"'"
Set RS = Conn.Execute(SQL)


If Not RS.EOF Then ' If the username and password exists in the database

Session("valid") = True '  Keep the valid value in session for later use
Session("uid") = RS("<userid>") ' Keep the member userid in session for later use

Response.Redirect"some_valid_members_page.asp?uid=" & Session("uid")

Else  'If the username and password NOT exists in the database, send them back to your loginpage

Response.Redirect"some_page_where_you_have_the_login_form.asp 

RS.Close
Conn.Close
Set RS = Nothing
Set Conn = Nothing
End If
%>

That's pretty much it. The only thing you have to worry about is case sensitivity. This depends on your server settings on which it is set to case-sensitive or case-insensitive. You should pull the password from the database and then check it thoroughly. You don't want someone to use "PassWoRd" and allow them to login with "password", you know what I mean?

Just create a connection and recordset. Then create an SQL query to retrieve the password. Check to see if there are any results (EOF = end of file), then compare the two if there are. If there are not any results, post an error to the user. An example of this was above, and is below:

Dim rs, conn, sql, passwd, uname

passwd = Trim(Request.Form("password"))
uname = Trim(Request.Form("username"))

Set conn = Server.CreateObject("ADODB.Connection")
conn.Provider = "this is your connection string. Look one up at http://connectionstrings.com"

Set rs = Server.CreateObject("ADODB.Recordset")

'Select the password from the database where the supplied username exists.
sql = "SELECT userpassword FROM users WHERE username='" & uname & "'"

'Open the connection called "conn"
conn.Open()

'Open a recordset that retrieves the query with connection "conn"
rs.Open sql, conn

if Not rs.EOF then
  'If you haven't reached the end of the recordset, there must be a record!
  if StrComp(rs("userpassword"), passwd, 0) = 0 then
    'The 0 stands for case-sensitive. 1 is case-insensitive.
    'If this command equals zero, then it passed validation.
    'Give them a session to store that they logged in. This way you can check
    'at a later time if they logged in.
    Session("logged") = "True"
    'Send the user to the good pages!
    response.redirect("loggedin.asp")
  else
    'Failed to login, incorrect password.
    'Try not to let them know if they have the right username.
    'Just tell them it all failed.
    response.write("incorrect username or password.")
  end if
else
  'No records, meaning there are no users with that username.
  response.write("incorrect username or password.")
end if

rs.Close()
set rs = nothing

conn.Close()
set conn = nothing
'If you do not close the connection, they will continuously rack up, which will slow down, if not halt your program/website. Always close. Disposing of the variable (setting it to nothing) frees up space for the next user. Not required, but definitely good techniques.

The timeout for this session is
<%
Response.Write(Session.Timeout)
%>
minutes.

That's not asp, isn't that asp.net? different language, completely.

Nope the web.config file isn't used by ASP what I know.

A session time limit can be set. Default is 20 minutes, the example below is set to 5 minutes.

<%
Session.Timeout=5
%>

Yes you are in the wrong forum. Head over to ASP.NET

Then do a search for "Login Membership" and you'll find what you need to. It's been discussed many times.

ASP.Net does this right out of the box doesn't it? ...

yes and no. You have to setup the membership and then yes it does. Requires some customization, but then again.. what doesn't?