417 users using DBSP now!
Home  I  Company  I  Services  I  Documentation  I  Downloads  I  E-Support
home -> documentation -> environment guide -> Granting access to the user: LOGIN tag


Creating a the LOGIN query

First of all we need to build the login SQL statement based in some table structure. So we need to create or use a table suitable for this purpose. Imagine the following table:

Table Name: USERS

USRID USRFIRSTNAME USRLASTNAME USRUSERNAME USRPASSWORD USRLEVEL
1
 Administrator (null) administrator confidential
1
2
 Sirius Black jblack black
2
3
 Angie Hart aheart angieheart
2
4
 Chandler Bing cbing duck
2

Based on this structure and data, a valid login query would be:

SELECT USRID, USRFIRSTNAME, USRLASTNAME, USRLEVEL FROM USERS
WHERE USRUSERNAME = :TXTUSER AND USRPASSWORD = :TXTPASSWORD

where TXTUSER and TXTPASSWORD are variables of type string.

The authentication will work on this way:

  1. If the TXTUSER and TXTPASSWORD passed to the query return AT LEAST ONE RECORD, the access will be GRANTED.
  2. If the values are passed to the query and return NO RECORDS, the access is DENIED.


The SESSION object and the login query

Each user that access to a DBSP site implicitly creates a session object linked to its browser. This session object is responsible for the storage of information relative to the actual session: session ID (A uniquely identification string for the session) , IP address, browser name, time of last request, etc.

But the session object has another interesting feature: all the column values selected in the login query will be automatically stored in the session object. For example:

Suppose that the TXTUSER and TXTPASSWORD contains the "aheart" and "angiehart" values. The login SQL statement will return the values:

USRID = 3
USRFIRSTNAME=Angie
USRLASTNAME=Heart
USRLEVEL=2

So, after the authentication has been performed (and the query executed), the session object will automatically store all this values:

Session values before authentication Session values after authentication
SESSION.SESSIONID=DBSP200404172124XJA
SESSION.IPADDRESS=192.168.0.12 		SESSION.SESSIONID=DBSP200404172124XJA
SESSION.IPADDRESS=192.168.0.12
SESSION.USRID = 3
SESSION.USRFIRSTNAME=Angie
SESSION.USRLASTNAME=Heart
SESSION.USRLEVEL=2


Note: Notice that the USRNAME and USRPASSWORD are not included in the selection list. We don't want to include sensible information in the session object. Our application could be compromised by some malicious user!

If you want to know more about the session object, click here.


The LOGIN Page

Now, let's create the DBSP page that will request the login information. As the first step of the authentication scheme states, it is necessary to have a login page. This page will collect the user credentials and send it back to the server. The LOGIN tag will indicate to the server that the user is trying to create a valid session into the system. We will generally use this element in conjunction with an HTML form with the post type method.

The syntax is very simple:


<#LOGIN ALIAS=”anAlias” QUERYID=”AQuery” [QUERYIDLOG=”AQueryLog” DOC=”adocument”]/>
 

Here, anALIAS is the alias referring to the database where the user information is contained (the users table database alias). AQuery is the SQL sentence that will be used to validate the credentials of the user.

The rest of the properties are optional but useful in some circumstances. The QueryIDlog is a reference to SQL sentence that will be executed after a successful login has been made (this means that after the execution of the SQL Sentence referred in the QueryID property, the sentence return at least one record). This property could be used to create an access log.

Finally, the DOC property will force some document to be always displayed after a successful login. This will alter the normal flow of the system. Remember that the login page is displayed when a private page has been requested and no valid session exists for the current user. So, after a successful authentication, the original requested page will be displayed. By using the DOC property instead, you will ignore the original requested page, and you will always display the indicated page. This could be useful for example, when the system has a main menu, and displaying this menu is a must.

The following code shows you an example of how to create a login form. The SESSION.LOGINFAILED variable is explained after the example.


   <#IF EXPRESSION="(SESSION.LOGINFAILED!=UNDEF)">
     <#CASE> 
      <#OPTION EXPRESSION="SESSION.LOGINFAILED=11001">
        Invalid session or account inactive!
      <#/OPTION>                 
      <#OPTION EXPRESSION="SESSION.LOGINFAILED=11002">
        Your session has expired! Please log in again.
      <#/OPTION>                 
    <#/CASE>             
   <#/IF>             
             
  

e-mail
  

  
password
  
  


When the LOGIN fails...

As you can see in the example, there is a variable named LOGINFAILED inside the SESSION object. This variable holds an integer number and appears where the login could not be performed for these reasons:

11001 The login query did not return any records. In this case, the user did not provide a current username and password combination. You can catch this variable as in the example and let the user know the mistake.
11002 The session has expired. This happens when the user stop browsing pages for more than the time indicated in the site configuration and suddenly decides to browse again for another page. Another authentication of the user is needed for security purposes (just to be sure than the same user is using the system).
11003 The login can not be executed. In this case, the site is not properly configured. Please check the configuration again via the DBSP configuration tool and don't forget to restart your Web Server after any change.

Previous | Next