Server-Side Web Programming with Active Server Pages
Lab 11 - Cookie Based Security Page

In this lab you will create several deliverables, including a new login page and modifications to several existing pages to handle a user identification cookie. Explore the sample site to see examples. Again you will be building on and modifying your previous labs. There will be an automatic 2.5 point deduction if any of your pages do not use Hungarian notation or are missing TITLE or META description elements.


  1. A persistent dictionary cookie containing the CustomerID (or zero) of the logged in user. Your cookie should be named for your site and should contain the key CUSTOMERID (You may add additional keys to the cookie if you wish). The function below may prove helpful in creating a persistent cookie. (Note use of expires and the constant cCOOKIE which should be unique to your site as follow: SITE## where ## is your site number. you may choose to pad with zero or not as it pleases you. The constant should be part of the include file that holds the sub and function below.

    Const cCOOKIE = "SITE88" 'Example, replace 88 with your class number.

    Sub CookiePUT(cName, cValue)

            response.cookies(cCOOKIE)(cName) = cValue
            'The use of expires is what makes the cookie persistent 
            response.cookies(cCOOKIE).expires = Now() + 365 

    End Sub

    'Example Use (Write the CustomerID field to a persistent cookie):

    CookiePut "CUSTOMERID", lCustomerID

  2. A function ValidateUser() 

    The function is used by almost every page to determine if the CustomerID of the user is known. Many pages use this information to build queries (e.g. find the current shopping cart, etc.) 

    The function must be passed a flag to indicate what the function should do if  CustomerID is not found or is <= zero (0). 

    • FLAG = 1: the user will be redirected to the login page, if the login is successful the original page will be recalled. 
    • FLAG = 0: a Zero is returned and then the page processing continues as if nothing had happened using a CustomerID value of zero..

    When would you want to use one or the other of the flags?

    • You would set FLAG=1 when you are dealing with adding or removing items form the cart, viewing or processing orders or checking out.
    • You would set FLAG=0 when you are working with customer information (customer, login pages)
    • In general use common sense, if a valid CustomerID is required to process, you should insist on getting a valid one.

    We are giving you the function ValidateUser() as it is one of the most important functions in the Shop system

    'Return CustomerID with optional redirection
    Function ValidateUser(FLAG)

       dim lCustomerID 'CustomerID is a LONG (SQL Int)
       dim S

       'Assume not found
       lCustomerID = 0

       'First try the form and querystring collection
       s = Trim(Request("CUSTOMERID"))
       If isNumeric(s) then
          lCustomerID = cLng(S)
          'Then try the cookie
          S = Trim(Request.Cookies(cCOOKIE)("CUSTOMERID"))
          If isNumeric(s) then
             lCustomerID = cLng(S)
          end if
       end if

       'No matter what write the cookie 
       CookiePUT "CustomerID",sCustomerID

       'Do we care if CustomerID is zero?
       If (FLAG <> 0) and (lCustomerID = 0) Then
          Response.Redirect "Login.asp"
       End if

       'We don't care or we are ok, return to the caller
       ValidateUser = lCustomerID
       Exit Function

    End Function


    • The function should be put into an include page.
    • The function returns the CustomerID (zero if not found).
    • The function should first check the Request collections object collections for "CUSTOMERID", and if present, returns that value.
    • If the function does not find a value in the Request collections, it should check the cookie above.
    • The function should re-write the cookie to the client using CookiePut(). Consider the two possible cases:
      • We have a good CustomerID (<> Zero), we want to have that ID available to other pages who call this function, so we want to sent it to the client.
      • We have a Bad CustomerID (e.g. Zero), we want to make sure the clients cookie contains a zero so that when other pages call this function we know we have to take steps (based on the value of FLAG above) to handle this case.
  3. Login.asp


    • Allow the user to "login" to our system by matching their e-mail address (stored in the database by the customer page) to the customer ID. If this operation is successful, the CustomerID is written to the cookie, if not successful a zero is written to the cookie. (See discussion above)
    • The page also allows users to create new accounts by calling the customer page and passing in a special flag (&VW=3).
    • Thus new users become existing users and existing users are admitted to our site to shop.


    The user should have the option to 'Create a new account' (your choice of phrasing) by having a link to the customer page as follows Customer.Asp?VW=3  this causes the customer page to create a new user. (See the notes in Lab 10)


    Takes in the e-mail address and searches the CUSTOMER table for that address.

    • If email address not found:
      1. Overwrites the cookie 'CUSTOMERID' with a value of zero (0)
      2. Redirects to the same page (login.asp) with a message that the login is incorrect.
    • If email address found
      1. The CustomerID is written to the cookie.
      2. The page is redirected to the referrer.
  4. Customer.Asp. You should modify this page to write out the CustomerID to the cookie using the above subroutine.
  5. Default.asp. Your home page should be modified to detect and greet the user as in the example site. E.g. You should use the ValidateUser()  function to get the CustomerID  (Here is an example of a case in which it is ok, not to know who they are) if the CustomerID is >0 then you should fetch their name from the customer table and give them a greeting by name (personalization). If they are not customer they should be welcomed and given a chance to become customers by creating a new account.
  6. Modifications to all previously assigned page and all future pages to use these previous deliverables. The idea is to provide a simple framework to get and handle the problem of retrieving the CustomerID on various pages and what to do if it is not found.

This lab is worth 15 points and due on November 22nd.  When you have completed the lab, send an email to Chris Allen indicating you are done and providing the external URL to your pages.

Valtara Digital Design   
Copyright 1999, 2001, Valtara Digital Design, Blitzkrieg Software