The bulk of Listing 13.11, lines 2–36, is devoted to decoding the username and password contained in the AUTHORIZATION header. In line 38, the AUTHO- RIZATION header is retrieved from the Request collection. If the AUTHORIZATION header contains no information, the status code 401 is sent to the browser to force a pass- word dialog. In line 45, the first six characters are stripped from the AUTHORIZATION header. These first six characters contain the plaintext characters BASIC, which indicate the authoriza- tion scheme. We already know this, so we get rid of the characters. In line 46, the AUTHORIZATION header is base64 decoded with the help of the Decode() function. The decoded header will contain the username and password separat- ed by a colon. In lines 47–49, the VBScript SPLIT() function is used to extract the user- name and password from the header. In lines 51–56, the username and password are compared against the usernames and passwords contained in the userlist database table. If there are no matches, the status code 401 is sent to the browser to force the password dialog box to appear. Otherwise, the user can view the page. Summary In today’s lesson, you learned how to create a subscription Web site by implementing three different types of authentication. In the first section, you learned how to use HTTP Authentication. You were given an overview of the three types of authentication support- ed by Internet Information Server and you learned how to enable authentication for a file, directory, or Web site. In the next section, you learned how to use database authentication to password protect areas of your Web site. You created a database table named userlist that contains a list of usernames and passwords. You also created an Include file that checks usernames and passwords against the database table. In the final section, you learned how to create a hybrid authentication system. You learned how to force a password dialog box to appear from within an ASP script. You also learned how to retrieve a username and password entered into the dialog box and compare them against a database table. 294 Day 13 Do not enable any form of authentication for the directory that contains hybrid.asp. We are forcing Basic Authentication manually. Only Allow Anonymous Access should be enabled. Note ANALYSIS 17 0672318989 ch13 3/30/00 8:19 AM Page 294 Creating a Subscription-Based Site 295 13 Q&A Q Three different methods of authentication were discussed in today’s lesson. Which method of authentication should I use for my Web site? A If you need to create an automated registration system, you should use either data- base authentication or hybrid authentication. By using a database to store user- names and passwords, you can easily create a system that supports hundreds of thousands of registered users. Storing usernames and passwords in a database also makes it easier to backup the data. Because you need to setup individual Windows accounts to use HTTP Authentication, this form of authentication is more appropriate for password pro- tecting administrative areas of your Web site. Normally, you will use HTTP Authentication only when you need to setup a small number of user accounts. Q Doesn’t database authentication place a heavy load on my database server? A If every user must be authenticated against the database whenever a page is requested, database authentication can place a heavy load on your database server. However, in the database authentication script you created in today’s lesson ( checkpassword.asp), Session variables were also used to authenticate users. When a user is authenticated against the database after requesting a password pro- tected page for the first time, a Session variable named LoggedIn is assigned the value Yes. If the user requests additional pages, the Session variable can be checked instead of the database. Of course, if someone is using a browser that doesn’t support Session variables, the database must be accessed every time the user requests a new page. Workshop The Quiz questions are designed to test your knowledge of the material covered in this chapter. The answers are in Appendix A, “Quiz Answers.” Quiz 1. Can you use HTTP Authentication with the Netscape Navigator browser? 2. Why is it considered a security risk to use Basic Authentication? 3. How can I force a password dialog box to appear on a Web browser? 4. When using Basic Authentication, how is a username and password passed from page to page? 17 0672318989 ch13 3/30/00 8:19 AM Page 295 17 0672318989 ch13 3/30/00 8:19 AM Page 296 DAY 14 WEEK 2 Customizing the Shopping Experience Today we will customize our customers’ shopping experience based on their preferences and buying patterns. To make this project more interesting, we also will allow our customers to review their purchase history with our storefront. Today, you will learn the following: • Presenting the user with the choice to change his existing registration set- tings • Storing those new registration settings in the user database • Displaying previous purchases • Determining layout based on customer preferences • Advertising items your customers would like Retrieving the Existing User Settings A user needs to see his settings before he can modify them. Therefore, you need to create a new file, mypage.asp to go into the user’s database and retrieve 18 0672318989 ch14 3/29/00 4:04 PM Page 297 that information. In order to continue, we must create a file to display settings, mypage.asp. Creating mypage.asp The mypage.asp file is relatively unique among the files you’ve created thus far. It can both read from the database (to display existing settings) and write to the database (to store the new settings). Generally, the structure thus far has been one file to read and one file to write. To better understand each of the functions performed by mypage.asp, the code will be broken into two different listings. The first bit of relevant code deals with controlling the flow of the site, and is contained in Listing 14.1. LISTING 14.1 Retrieve Existing User Info 1 <! #INCLUDE FILE=”adovbs.inc” > 2 <! #INCLUDE FILE=”storefuncs.asp” > 3 <% 4 ‘ Get Product ID 5 productID = TRIM( Request( “pid” ) ) 6 ‘ Get Login Information 7 login = TRIM( Request( “login” ) ) 8 IF login <> “” THEN 9 username = TRIM( Request( “username” ) ) 10 password = TRIM( Request( “password” ) ) 11 ELSE 12 username = TRIM( Request( “newusername” ) ) 13 password = TRIM( Request( “newpassword” ) ) 14 END IF 15 mypage = TRIM( Request( “mypage” ) ) 16 error = TRIM( Request( “error” ) ) 17 register = TRIM( Request( “register” ) ) 18 If username = “” then 19 username = request.cookies(“username”) 20 password = request.cookies(“password”) 21 End If 22 ‘ Open Database Connection 23 Set Con = Server.CreateObject( “ADODB.Connection” ) 24 Con.Open “accessDSN” 25 26 ‘ Check For Update code 27 IF mypage <> “” AND error = “” THEN 28 updateUser 29 END IF 30 IF register <> “” AND error = “” THEN 31 addUser 32 END IF 33’ Get User ID 34 userID = checkpassword( username, password, Con ) 298 Day 14 18 0672318989 ch14 3/29/00 4:04 PM Page 298 Customizing the Shopping Experience 299 14 35 ‘See if user exists in db, or if user info was ever passed 36 IF userID > 0 THEN 37 SET RS = Con.Execute(“SELECT * FROM users WHERE user_ID = “&userid) 38 ‘Populate string values with existing settings 39 newusername = RS(“user_username”) 40 newpassword = RS(“user_password”) 41 email = RS(“user_email”) 42 street = RS(“user_street”) 43 city = RS(“user_city”) 44 state = RS(“user_state”) 45 zip = RS(“user_zip”) 46 cctype = RS(“user_cctype”) 47 ccnumber = RS(“user_ccnumber”) 48 ccexpires = RS(“user_ccexpires”) 49 ccname = RS(“user_ccname”) 50 %> This first page is basically the traffic cop of the mypage.asp file. First of all, the page determines if the user has just logged in, created a new user, or updated his settings. Each of these options has a monitor value set in the form that passes the infor- mation. For example, if the user had just registered as a new account, the register moni- tor variable would not be NULL. If the user had just logged in, the login monitor variable would not be NULL. By checking these monitor values, we can determine which data fields we need to plunder in order to get the updated information. If the username is already in memory, or the user just logged in, the page will display the user’s current set- tings with the option to update them. If there is no username available, the page will dis- play the login/register screen. Finally, if the monitor value indicates that the user had updated his settings, the page stores the new settings in the database. The code in lines 7–16 traps the login monitor value. When login is not NULL, it means we can retrieve the user’s settings information and put it in the form for editing. Next in lines 18–21, we check to see if the username is still empty after trying to get info from the form. If it is, we try and pull the username value from the cookie, just in case it got missed somewhere. Lines 22–24 are the familiar ADO object instantiations we’ve seen several times before. Moving on to lines 27–28 we encounter another monitor value check. If mypage is not NULL, that means the user has submitted the update form, and wants his changes added to the database. To accomplish this, the page calls the updateUser subroutine from the storefuncs.asp file. Lines 26–32 contain the last monitor value check, which tests for new account requests. If register is not NULL, it means that the user has completed the new user form and wants to be added to the database. The page then calls the addUser subroutine from the storefuncs.asp file. ANALYSIS 18 0672318989 ch14 3/29/00 4:04 PM Page 299 Lines 33–35 compare the username and password against entries in the user’s table. When both columns match, the query returns the userid of the selected row. Lines 36–49 do two things. The first two lines check to see if the userid variable is a valid one (that is, greater than 0). If the userid is valid, the page loads all the current user’s settings into accessible variable and then loads them into a form, so the user can modify them. If the userid is invalid, we assume that it is for a new or non-logged in user and go straight to the register.asp page. The actual HTML surrounding the user settings form is identical to that found in register.asp and various other parts of the site, so I won’t repeat it here. However, you should take a look at Listing 14.2 and see how the form displays the current settings by inserting variables into the VALUE field of the input tag. LISTING 14.2 Displaying Current User Information 1 <form method=”post” action=”<%= submitpage%>”> 2 <input name=”mypage” type=”hidden” value=”1”> 3 <input name=”pid” type=”hidden” value=”<%=productID%>”> 5 <font face=”Arial” size=”2”> 6 Change the values below and hit ‘Update’ to change your personal settings: 7 </font> 8 <font face=”Arial” size=”2” color=”darkgreen”> 9 <p><b>Login Information:</b> 10 </font> 11 <font face=”Courier” size=”2”> 12 <br><b>username:</b> 13 <input name=”newusername” size=20 maxlength=20 14 value=”<%=newusername%>”> 15 <br><b>password:</b> 16 <input name=”newpassword” size=20 maxlength=20 17 value=”<%=newpassword%>”> 18 <br><b>email address:</b> 19 <input name=”email” size=30 maxlength=75 20 value=”<%=email%>”> 21 </font> 22 <font face=”Arial” size=”2” color=”darkgreen”> 23 <p><b>Address Information:</b> 24 </font> 300 Day 14 For more information on the addUser subroutine, investigate Day 8, “Building the Transaction Databases.” updateUser is identical to addUser except that it updates an existing record instead of creating a new one. Note 18 0672318989 ch14 3/29/00 4:04 PM Page 300 Customizing the Shopping Experience 301 14 25 <font face=”Courier” size=”2”> 26 <br><b>street:</b> 27 <input name=”street” size=20 maxlength=50 28 value=”<%=street%>”> 29 <br><b>city:</b> 30 <input name=”city” size=20 maxlength=50 31 value=”<%=city %>”> 32 <br><b>state:</b> 33 <input name=”state” size=20 maxlength=2 34 value=”<%=state %>”> 35 <br><b>zip:</b> 36 <input name=”zip” size=20 maxlength=20 37 value=”<%= zip %>”> 38 </font> 39 <font face=”Arial” size=”2” color=”darkgreen”> 40 <p><b>Payment Information:</b> 41 </font> 42 <font face=”Courier” size=”2”> 43 <br><b>type of credit card:</b> 44 <select name=”cctype”> 45 <option value=”1” 46 <%=SELECTED( cctype, “1” )%> > VISA 47 <option value=”2” 48 <%=SELECTED( cctype, “2” )%> >MasterCard 49 </select> 50 <br><b>credit card number:</b> 51 <input name=”ccnumber” size=20 maxlength=20 52 value=”<%=ccnumber%>”> 53 <br><b>credit card expires:</b> 54 <input name=”ccexpires” size=20 maxlength=20 55 value=”<%=ccexpires%>”> 56 <br><b>name on credit card:</b> 57 <input name=”ccname” size=20 maxlength=20 58 value=”<%=ccname%>”> 59 <BR><BR><input type=”submit” value=”Update”> 60 </font> 61 </form> This code takes the variables you assigned at the very beginning of the file and then drops them into input tags. You’ll only see this information when you’ve logged into the site and want to change your settings (see Figure 14.1 to see how mypage.asp appears in a Web browser). 18 0672318989 ch14 3/29/00 4:04 PM Page 301 Showing Past Purchases In the last few weeks, you have built the basic storefront for your E-Commerce Web site. You built the Product Catalog in Day 5, “Building Your Product Catalog,” and extended it with the ability for customers to purchase items from our catalog in Day 8. You also have built the ability for customers to view their purchase status, such as whether their item had shipped, for example. Today you will add the ability for your customers to review their past purchases. This facility will be straightforward and will focus only on successful purchases that the customer has made. The purchases that a customer makes are recorded, as you should remember, in the Orders table of our database. The Orders table is structured as follows: • order_id—The unique numeric identifier for each order recorded. • order_productID—The numeric product identifier for the item purchased by the customer. This identifier is based on a value in the Products table. • order_quantity—The total number of items (as identified by the previous col- umn) purchased by the customer. • order_userID—The numeric identifier that represents the customer, as determined from the Users table. • order_entrydate—The date and time that the purchase order was made on our Web site. 302 Day 14 F IGURE 14.1 Changing your user information— mypage.asp. 18 0672318989 ch14 3/29/00 4:04 PM Page 302 Customizing the Shopping Experience 303 14 • order_status—A numeric status identifier that indicates the state of the cus- tomer’s order. • order_shipdate—the date and time that the customer’s purchase order was shipped. To review, the numeric status codes found in the order_status column are • 0—Pending • 1—Credit Card Declined • 2—Not in Stock • 3—Shipped When looking to display previous purchases to our customers, we can assume that any item identified as Shipped and has a date and time specified in the order_shipdate col- umn as a complete order. (After all, we’re not going to charge someone for something that isn’t in stock, are we?) Creating a page to display only items that have been shipped to the customer will prove to be very easy, by adapting the code we created in Day 11, “Working with Credit Cards,” to allow customers to view their order’s status. Listing 14.3 contains the code for a new page that we will add to our site, pastpurchases.asp. We will link to this page from the showorders.asp page. LISTING 14.3 Display List of Previous Orders 1 <! #INCLUDE FILE=”adovbs.inc” > 2 <! #INCLUDE FILE=”storefuncs.asp” > 3 <% 4 ‘ Get Login Information 5 username = TRIM( Request( “username” ) ) 6 password = TRIM( Request( “password” ) ) 7 ‘ Open Database Connection 8 Set Con = Server.CreateObject( “ADODB.Connection” ) 9 Con.Open “accessDSN” 10 ‘ Get User ID 11 userID = checkpassword( username, password, Con ) 12 sqlString = “Select orders.*, product_name, product_price “ &_ 13 “from orders, products “ &_ 14 “WHERE order_productid=product_id “ &_ 15 “AND order_userid=” & userID & “ “ &_ 16 “AND order_status=3 “ &_ 17 “ORDER BY order_entrydate DESC” 18 SET RS = Con.Execute( sqlString ) 19 %> 20 <html> 21 <head><title>Your Past Purchases</title></head> continues 18 0672318989 ch14 3/29/00 4:04 PM Page 303 [...]... value=””> Customizing the Shopping Experience 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 309 3 > Just below that line, add the following code: Pick your favorite kind of candies! 14 3 16 Day 14 Finally, you’ll... Finally, you’ll need to check whether the storefuncs .asp file is included in the default .asp page If not, add the following line to the top of the default .asp file: .asp > The new default .asp page can be seen in Figure 14.4 FIGURE 14.4 The updated main page—default .asp Summary Today we outlined how to enhance the Web site with some useful features to improve its usability... which are then stored into the database using the updateFavorites subroutine on line 21 We will create this subroutine in just a moment Finally, on line 22 we redirect the customer back to the default .asp page after storing the values, thereby never displaying the savefavorites .asp page to the customer’s browser The updateFavorites subroutine needs to be added to the storefuncs .asp function file before . executed on line 6, and the subroutine returns to line 22 of Listing 14 .6. 312 Day 14 LISTING 14 .6 continued ANALYSIS ANALYSIS 18 067 2318989 ch14 3/29/00 4:04 PM Page 312 Customizing the Shopping Experience. “order_shipdate” ) )%> 63 </small> 64 </td> 65 </tr> 66 <% 67 RS.MoveNext 68 WEND 69 %> 70 </table> 71 <% 304 Day 14 LISTING 14.3 continued 18 067 2318989 ch14 3/29/00. listings. The first bit of relevant code deals with controlling the flow of the site, and is contained in Listing 14.1. LISTING 14.1 Retrieve Existing User Info 1 <! #INCLUDE FILE=”adovbs.inc”