I was able to develop a simple user name and password code that would enable users log into my website before viewing the home page.This worked.Now i have tried to apply this code below to ensure that no link when typed into the browser from any of my web page files will show unless the user login session is signed in as true(code below)
<%
If Session("BlnLoggedIn") <> True Then
Response.Redirect("login.asp")
End If
%>

I have tried to place this code at the top most of my html page but it doesnt seem to work instead the code appears on the html page browser when you view it...am i applying the correct code ?or am i not putting it at the right place on my html pages... i want to block users from viewing all my html pages unless the user login session is true according to my code..This would mean that if they are not logged in they would be redirected to the login.asp page...how do i go abt it??

it must be an aspx page, not html. Otherwise it will never be read.

However, if you are hitting a problem, you should set your BlnLoggedIn to "True" and not just True. Session Variables aren't really used as booleans so set it to a static text. you can even do just "0" and "1" for sake of your server's memory capabilities and to save memory as well.

You also need to place it within a page rendering tag, like "Page_Init".

Sub Page_Init(ByVal S As Object, ByVal E As EventArgs)
  If Not Session("BlnLoggedIn") = "1" Then Response.Redirect("login.aspx")
End Sub

However, if you are using Classic ASP, you are in the wrong forum, but your code should work. Try setting your "True" value as a string instead of a boolean.

my favorite approach is to pass the user's identity # after log-in.

on log-in page
context.items.add("UID", useridfromdb)

where useridfromdb is the identity vale from the database

then, on the page_load for each page i get the user's record #

on pageload event:

dim uid as string
uid = context.items("UID")

if uid = "" then
server.transfer("~/notauthorized.aspx")
end if

that sits at the top. it is also a good idea to make sure it is not a postback when checking.

does this make sense?

I agree. Use form authentication.
You can protect your site with simple two line code in web.config file.

This article has been dead for over six months. Start a new discussion instead.