Adobe Dreamweaver CS3 Unleashed- P28 pps

50 144 0
Adobe Dreamweaver CS3 Unleashed- P28 pps

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

Thông tin tài liệu

and better yet, how can we use those credentials on other pages in the site to prevent users from trying to access pages without logging in first? The great thing about the Log In User server behavior is that a session variable (which we briefly mentioned in the previous chapter) is automatically created for the user, as follows: Session("MM_Username") This session variable can be used in other pages (as you'll see in the next section) using server behaviors, code, or a combination of both to determine whether the user is logged in. Note The measure of activity that a user spends on a website during a specified period of time is known as a user session. The user session begins when the user accesses the application and ends when the user quits the application (by either logging out or closing the browser). Because the user session is typically stored in a browser cookie, developers can take advantage of sessions in an effort to store and persist specific data about the user. The Login User server behavior, for instance, uses user sessions to store a key authorizing the user to browse through a site that is protected by a user authentication system like the one we're creating here. Restricting Access Based on Username, Password, and Access Level Your next step in securing your web application is to restrict those users who do not meet criteria specified by you. You can specify that criteria by setting an access level that will eventually be used to track users as they navigate through your site. The reason for establishing access criteria is simple—you want to make sure that your users do not accidentally navigate onto a page that they are not supposed to see, such as the admin page. The last thing you want is for ordinary users to delete products from the EmployeeStore table. You can create access levels for your users by following these steps: 1. Open the database management system for the type of database you are using. The following examples and subsequent screenshots assume that you are using Access. However, you can follow all these examples using Management Studio Express (for SQL Server 2005 Express) or MySQL Administrator (MySQL) as well. 2. With the database open, open the Employees table in Design view. The Employees table appears in Design view similar to Figure 28.3. Figure 28.3. Open the Employees table in Design view. [View full size image] 3. Right-click the email field and select Insert Rows, as shown in Figure 28.4. Figure 28.4. Insert a new row for the access level field. [View full size image] 4. Call the new field AccessLevel and give it a numeric (Number) data type. 5. Save the table by choosing File, Save. Switch to the Datasheet view by clicking the View icon just below the File menu. 6. In the AccessLevel column, assign a value of 2 to all the users except for Wally the Webmaster. Assign him a value of 1. The result is shown in Figure 28.5. Figure 28.5. Give Wally an access level of 2. This makes Wally the administrator of the site. [View full size image] The following table describes the levels of users and how they will be tracked within the application: Level Type Description 2 Admin Rights to the entire site 1 User Rights to all excluding admin.asp 7. You're done making changes to the database. Save your work and close out of your database. 8. Switch back to the login.asp, login.cfm, or login.php page in Dreamweaver and reopen the Log In User server behavior by double-clicking it in the Server Behaviors panel. The Log In User dialog opens. 9. At the bottom of the dialog, you'll see the Restrict Access Based On option button group. This time, select the Username, Password, and Access Level option button. Choose the AccessLevel option from the Get Level From menu that becomes enabled, as shown in Figure 28.6. Figure 28.6. Change the login criteria to Username, Password, and Access Level. [View full size image] 10. Click OK. 11. Save your work. Although you will not see any changes when you log in, rest assured that a session variable has been set for the access level, named Session("MM_UserAuthorization") As was the case with the session variable MM_Username that was created in the previous section, the session variable MM_UserAuthorization can also be checked against the Login User server behavior dialog to check whether a user has the appropriate access level to access a particular page. Custom Error Messages Although many error messages exist that you can present to the user, one that must be taken care of right away is the failed login error message. Currently, if a user logs in with an inappropriate username and password, the browser redirects to the same login page and does nothing. Ideally, what you want is a custom error message that alerts the user of a failed login attempt. Knowing this, the user can try to log in again. You can create a simple error message by following these steps: 1. Open the login page if it is not currently open. Add two new rows to the login table just below the button form object that you created previously. 2. Add the text That is not a valid login. in the second row. Change the font to a red color so that it appears as if it is an error message. 3. The next step is to somehow capture an error response from the login failure. You can accomplish this by setting a URL parameter in the Log In User dialog. Open the Log In User server behavior by double- clicking it in the Server Behaviors panel. When the dialog opens, add the string ?valid=false just after login.asp in the If Login Fails, Go To text box, as shown in Figure 28.7. Figure 28.7. Add a parameter to the URL string for the failure response. [View full size image] 4. Click OK to close the Log In User dialog. 5. You'll now want to write some code to capture that parameter if it exists and display the message accordingly. To do this, highlight the error message you created in step 2 and switch to Code view. Replace your selection with the following code (shown in ASP): <% If (Request.QueryString("valid") = "false") Then %> <span style="color:Red"> That is not a valid login. </span> <% End If %> If you're using ColdFusion, replace it with the following code: <CFIF ISDEFINED("URL.valid")> <CFIF URL.valid IS "false"> <span style="color:Red"> That is not a valid login. </span> </CFIF> </CFIF> If you're using PHP, replace it with the following code: <?php if (isset($_GET['valid'])=="false") { echo "<span style=color:Red>That is not a valid login.</span>"; } ?> As you can probably make out from the code snippet you just added, the idea is to check whether a parameter is being sent across the query string named valid. If there is, and that parameter has a value of false, it will display the message That is not a valid login. Save your work and test the result in the browser by pressing F12 (Option+F12). Enter some bogus information into the username and password text boxes and click Login. This time, you should be presented with an error message. Check to See Whether the User Is Logged In Although you might think your application is completely secure, it is, in fact, still completely vulnerable. What's to stop a user from typing in the URL to your application plus index.asp, index.cfm, or index.php, completely bypassing your login page? You should never expect your users to use the login page simply because it's there. Most browsers even try to guess the URL you are typing by autofilling the complete URL. If users accidentally select the index page, they can easily bypass the login page and jump directly into the site, thus failing to create a session for the user and ultimately causing errors. You can avoid this problem by detecting whether the user's session exists. Because the user session is created at login, if the user tries to bypass the login screen, the application can detect that and redirect the user back to the login page automatically. To add this functionality to your site, follow these steps: 1. Open the admin.asp, admin.cfm, or admin.php page, depending on the server model you're using. We're opening this page because this is one of the only pages in the site that we want to restrict user access to. 2. Select the Restrict Access to Page server behavior from the User Authentication submenu by clicking the Add (+) button in the Server Behaviors panel. The Restrict Access to Page dialog appears. 3. The Restrict Access to Page dialog enables you to set user levels that are allowed to enter this page, as well as a redirect URL for the failure. Select the Username, Password, Access Level option button. 4. Click the Define button. The Define Access Levels dialog appears. 5. From this dialog, you can customize and configure access levels that are allowed to view your page. Click the Add (+) button and add the value 1 (normal users' access level) as shown in Figure 28.8. Figure 28.8. The Define Access Levels dialog enables you to set access restrictions for a particular page. 6. Click OK to close the Define Access Levels dialog. 7. Back in the Restrict Access to Page dialog, make sure that you select the access level 1 option from the Select Level(s) list box. 8. Type the following value into the If Access Denied, Go To text box: login.asp?login=false Obviously, if you're using ColdFusion, the extension for the login file is .cfm, and if you're using PHP, the extension is .php. Similar to how we defined the custom error message for the failed login attempt, we'll create a custom error message that displays an error to users, alerting them that they'll need to log in before proceeding to any of the pages in the site. The completely formatted dialog is shown in Figure 28.9. Figure 28.9. Add a parameter to the end of the URL so that you can eventually create a custom error message on the login page. [View full size image] Tip If you're using ColdFusion, there's one other modification you need to make in code. In the login.cfm page, switch to Code view and change the scope="Session" attribute and value to scope="Server". This line appears as the eighth or ninth line of code in the page. 9. Reopen the login page if it's not open already. Place your cursor below the existing error message and type the text You must be logged in. 10. Again switch to Code view and type the following code (shown in ASP), just under the code you entered in step 5 of the previous section: <% If (Request.QueryString("login") = "false") Then %> <span style="color:Red"> You must be logged in. </span> <% End If %> If you're using ColdFusion, type the following code: <CFIF ISDEFINED("URL.login")> <CFIF URL.login IS "false"> <span style="color:Red"> You must be logged in. </span> </CFIF> </CFIF> If you're using PHP, type the following code: <?php if (isset($_GET['login'])=="false") { echo "<span style=color:Red>You must be logged in.</span>"; } ?> As you can probably make out from the code snippet you just added, the plan is to check that a parameter is being sent across the query string named login. If there is, and that parameter has a value of false, the browser displays the message You must be logged in. Save your work. This time, make sure that all the browsers are closed. This action effectively terminates all sessions. Reopen the browser and try to go straight to the admin.asp, admin.cfm, or admin.php page without logging in first. You are automatically redirected back to the login page, and the custom error message is displayed. Now that you know how to add it to the admin page, you'll want to add this functionality to all the pages in the Vecta Corp application that you want to restrict user access to. I'll leave that decision to you. Logging Out Users Just as you require your users to log in, you will want them to log out as well. Logging out guarantees that the users' session variables are instantly terminated, forcing them to log in again whenever they return to the site. For the most part, users will simply close the browser, terminating the session, but if users continue to browse online, it may be a good idea to alert them to log out first. Session variables, by default, remain active for 20 minutes, so if users fail to log out, their sessions would remain active even though they're navigating another website. To create the logout functionality for the Vecta Corp site, follow the steps outlined next: 1. Open the Vecta Corp template for the site you're working with. The template.dwt.asp, template.dwt.cfm, and template.dwt.php files are located in the Templates folder in the Site Files panel regardless of server model you're using. 2. Place your cursor just after the Search text field and button and press Enter (Return). 3. Type the text Log Out. 4. With the text highlighted, select the Log Out User server behavior in the User Authentication submenu by clicking the Add (+) button in the Server Behaviors panel. The Log Out User dialog appears. 5. The Log Out User dialog box enables you to specify criteria for the logout, including whether the logout will take place when the user clicks a button, a link, or when the page loads. You can also specify a page to redirect the user to after the log out button/link has been clicked. For our project, select the Selection: "Log Out" option from the Link Clicked menu and enter the value /login.asp, /login.cfm, or /login.php (depending on the server technology you're using) in the When Done, Go To text box. 6. Click OK to close the Log Out User dialog. 7. Save the page and update all pages that share the template. Test the result in the browser by opening the login.asp, login.cfm, or login.php page and pressing F12 (Option+F12). Log in and navigate through the site. Try clicking the Log Out link. You are immediately redirected to the login page. Try typing admin.asp, admin.cfm, or admin.php (essentially a page that restricts access based on the session) into the address bar, and you should be redirected back to the login page with the error message displayed. The reason for this redirection is simple: Your session doesn't exist anymore. Clicking the Log Out button does two important things: It completely removes the session variables MM_Username and MM_UserAuthorization, and it redirects you to the login page. The important thing to remember is that the two session variables are removed. And because they don't exist, the application treats you as if you've never logged in before. Revamping the New User Registration Page Now that most of the site has some sort of security integration, the last order of business is to make the New User Registration Page available only to new users. If a user has already registered, that user won't visit the page, but for users who have never been to the site, the New User Registration page must be made available and easy to find. You've added a link from the login page that jumps directly to the New User Registration page; the problem is that you still have buttons to the left of that page that link to the other Vecta Corp pages. A new user should not be given the opportunity to navigate to any portions of the site. You can change this by following these steps: 1. Open the register.asp, register.cfm, or register.php page. 2. Select Modify, Templates, Detach from Template. 3. Select the navigation table to the left of the page. 4. Delete the navigation table. 5. Save your work. 6. Open the x_newusercreated.asp, x_newusercreated.cfm, or x_newusercreated.php page. Select Modify, Templates, Detach from Template. Select the navigation table in the new page and delete it as well. 7. Place your cursor after the text in the Content editable region and press Enter. 8. Choose Insert, Hyperlink. The Hyperlink dialog appears. Type the text Log In. Enter the link login.asp, login.cfm, or login.php (depending on the server model you're using). Click OK to close the Hyperlink dialog and create the new link. When a new user registers, the user is taken to the x_newusercreated.asp, x_newusercreated.cfm, or x_newusercreated.php page. This time, however, the user will have the opportunity to click the Log In link to be redirected to the Log In page. Avoiding Duplicate Usernames The last order of business is the Check New Username server behavior. The Check New Username server behavior enables you to check the username of the person who is registering on your site to make sure that a duplicate does not exist within the database. This is done to avoid confusion when people register within your site. Have you ever tried obtaining a username with AOL? It's almost impossible because most of the usernames are taken. Companies such as AOL employ these same methods to avoid conflicts between users. You can check for duplicate usernames within your site by following these steps: 1. Open register.asp, register.cfm, or register.php, depending on the server model you're using. 2. With the page open, select the Check New Username server behavior available from the User Authentication submenu by clicking the Add (+) button in the Server Behaviors panel. The Check New Username dialog appears. 3. The Check New Username dialog allows you to specify the field in the database to compare the value to. Select the Username option from this menu. 4. The dialog also enables you to specify a page to redirect to if a duplicate username exists. Enter the following value into this text box: register.asp?username=exists If you're using ColdFusion, the extension for the register file is .cfm, and if you're using PHP, the extension is .php. Figure 28.10 shows the formatted Check New Username dialog. Figure 28.10. Specify the Username field in the database as well as a parameter so that you can create a custom error message to the user if the proposed username happens to be a duplicate. [View full size image] [...]... ColdFusion, or PHP server models, Dreamweaver has a solution for securing the Vecta Corp site in its User Authentication suite of server behaviors Note Out of the box, Dreamweaver includes a suite of server behaviors for authenticating users under the ASP, ColdFusion, and PHP server models only If you're using ASP.NET, you'll either have to purchase third-party extensions from the Adobe Exchange or you'll have... examples in this chapter by downloading the files from www.dreamweaverunleashed.com Remember, you'll want to save the files for Chapter 28 (not the folder) in the C:\Inetpub\wwwroot\VectaCorp directory, where represents the server technology (ASP, ASPX, CFM, PHP) you plan to use Make sure that your site is also properly defined in Dreamweaver, including setting the appropriate server-side... that the basic structure of the login page has been created, you're ready to add the server behavior that facilitates the user login If you're using ASP, ColdFusion, or PHP, you have an advantage in that Dreamweaver includes a server behavior that facilitates this process To add this functionality, follow these steps: 1 With the login page still open, select the Log In User behavior from the User Authentication... site 1 User Rights to all excluding admin.asp 7 You're done making changes to the database Save your work and close out of your database 8 Switch back to the login.asp, login.cfm, or login.php page in Dreamweaver and reopen the Log In User server behavior by double-clicking it in the Server Behaviors panel The Log In User dialog opens 9 At the bottom of the dialog, you'll see the Restrict Access Based... access level of 1 Securing the Vecta Corp Site Using ASP.NET As with the ASP, ColdFusion, and PHP server models, you can take advantage of user authentication using ASP.NET The downside is, however, that Dreamweaver doesn't ship with a suite of User Authentication server behaviors as is the case with the other server models But before you completely skip over this section in frustration, know that user . ColdFusion, or PHP server models, Dreamweaver has a solution for securing the Vecta Corp site in its User Authentication suite of server behaviors. Note Out of the box, Dreamweaver includes a suite. in this book, you can work with the examples in this chapter by downloading the files from www.dreamweaverunleashed.com. Remember, you'll want to save the files for Chapter 28 (not the folder). technology (ASP, ASPX, CFM, PHP) you plan to use. Make sure that your site is also properly defined in Dreamweaver, including setting the appropriate server-side technology you plan to use in the Testing

Ngày đăng: 01/07/2014, 19:20

Từ khóa liên quan

Mục lục

  • Adobe Dreamweaver CS3 Unleashed - Graphically Rich Book

  • Table of Contents

  • Copyright

  • About the Author

  • Acknowledgments

  • We Want to Hear from You!

  • Introduction

  • Part I: Getting Up to Speed with Dreamweaver CS3

    • Chapter 1. The Dreamweaver CS3 Interface

      • New Dreamweaver CS3 Features

      • The Welcome Screen

      • The Document Window

      • Context Menus

      • The Insert Bar

      • The Property Inspector

      • Panels

      • The Menu Bar

      • Summary

      • Chapter 2. Building a Web Page

        • Creating a New Document

        • Working with a New Document in Design View

        • Inserting the Time and Date

        • Inserting a Horizontal Rule

Tài liệu cùng người dùng

  • Đang cập nhật ...

Tài liệu liên quan