Web template
updated by
Christopher Spry

How to make password-protected web pages using Microsoft's 'FrontPage' and 'ASP'

Note added 16/04/2009:

Microsoft discontinued FrontPage in late 2006 and many ISPs, such as the free 'IX Web hosting' site http://www.ixwebhosting.com/, will be discontinuing it on their servers in late 2009. For this reason I suggest that you look elsewhere for software to password-protect your web pages. There is useful and readily-used information on this at http://personalweb.about.com/cs/securityprivacy/a/312password.htm. The JavaScript option looks the best to me for this purpose.

In addition, instead of using FrontPage, consider using KompoZer, which is freely available at https://kompozer-web.de/en/ or any of the FrontPage alternatives suggested at http://www.msboycott.com/thealt/alts/frontpage.shtml.  For features dependent on FrontPage extensions, some alternatives are discussed athttp://www.outfront.net/tutorials_02/getting_started/extension_alternatives.htm.

The method that is described below only applies to web sites, such as Microsoft's 'IIS' servers, that supports 'active server pages' or 'asp'. The method uses Microsoft's 'active server pages' to provide a script to check the password before opening a password-protected 'page'. This guide applies to both 'FrontPage'98' and 'FrontPage 2000'. The first two pages, where the password is entered, can be on any type of web server. It simply passes the 'password' to the web server supporting 'asp', which then checks it with the 'asp' script, shown below.

There is related information on how to restrict access to a whole FrontPage web. Before you follow the guide below, check with the administrator of your web site, that it supports 'active server pages'. Many don't. If your web server is running Apache, there are other and arguably better ways to password-protect web pages.

See also Instructions on setting up user/password and access control for

Here, you will make three pages - a page where the password is entered, a page where the password is entered again if it was entered incorrectly and a 'protected' page on a Microsoft web server. In the example used here, they are called 'password_enter.html', 'password_enter_again.html' and 'password_protected.asp', respectively. 

(a) In 'FrontPage' open a new page. It will be called here 'password_enter.html'. In this page, a user will have to enter a password to access the second password-protected page called here 'password_protected.asp'. You will create the latter in (b). In the new page, click on 'Insert | Form | One-line Text Box'. Type in the left side of the box, just inside the dotted edge, 'Enter password:'. Select from the menu at the top of 'FrontPage Editor': 'File | Properties' and in the 'Title' box enter 'password entry' then 'OK'. Right-click inside the space in the 'one-line text box' you made earlier (the space where users will enter a password) and scroll down to 'Form Field Properties'. In the 'Name' box, enter 'pwfield', click Password field 'Yes' to give asterisks on screen instead of an entered password, 'OK'. Right-click in the empty text box again and scroll down to 'Form Properties'. Click on the radio button for 'Send to others' then click 'Options' and in the 'Action' box type the name of the file that will be password protected, giving it the suffix 'asp' instead of 'html. If it is in a different directory from the file you are currently editing (password_enter.html), include the name of the server and directory also, starting at the 'web root' directory. In this example, it is on a Microsoft web server at http://example.cspry.co.uk' in the web's directory '/computing', so I entered 'http://example.cspry.co.uk/computing/password_protected.asp'. Save the file you have just finished editing as 'password_enter.html'. In addition, make a copy of this page with a line saying 'The password you entered was incorrect'. and save it in the same directory as 'password_enter_again.html'.

(b) Create a new file in 'FrontPage' on the Microsoft web server. In my case it was on the Microsoft web server 'http://example.cspry.co.uk' in the web's '/computing' subdirectory. This will be the password-protected file. In 'FrontPage Editor', select the tab at the bottom called 'HTML'. Copy the following script and paste it into the page above the first 'html' tag on the page:

pagePassword = "pass"
passwordForm = "password_enter_again.html"
IF Session("pwfield") <> pagePassword THEN
IF Request.Form("pwfield") = pagePassword THEN
Session("pwfield")= pagePassword

(Include the '<%' and '%>' lines.) Edit the word "pass" to provide the password for this page. Edit the word "password_enter_again.html" to provide the name of the web server and second file which you made in (a) if it is different. In my case it was 'http://example.cspry.co.uk/computing/password_enter_again.html'.   Edit the rest of the page in the usual way, and save it as 'password_protected.asp'. Note: this script can be used in several pages using ‘Server Side Include' (SSI).

Now, using a web browser, open the file made in (a) and enter the password. This page passes the content of the box to the second password-protected page ('password_protected.asp'), which checks the password using the above script and assigns it a 'Session Variable' if it is correct. If is not correct, it opens the file called 'password_enter_again.html', for the user to enter the password once more. If the user closes the browser which opened the protected page successfully, or the session times out, the user is required to re-enter the password to open the protected file once more.

With acknowledgement to  SiteCrafters, which provided the script and which is a source of other useful information on using ‘FrontPage’.

John Savill has provided a script to enable users to change their passwords as he explains below:

"Q. How can I create a Web page where users can change their passwords?

A. You can write an Active Server Pages (ASP) script that creates a password-change Web page. ASP gives you complete access to Microsoft Active Directory Service Interfaces (ADSI), which lets you perform a variety of functions, such as changing passwords or creating accounts. When you write such a script, you must consider factors such as the user account under which the script will run and the permissions you want to use when the script runs. The basic ADSI command to change a user's password is

set usr = GetObject("LDAP://CN=John Savill,CN=Users,DC=savilltech,DC=com")
usr.put "userPassword", NewPassword

The first line assigns a handle to user John Savill in domain savilltech.com. The next line puts the text NewPassword into the userPassword attribute.

I've written a short ASP script that prompts the user to enter a username and password (remember to change the domain from savilltech.com to your domain). The script is listed below and can be downloaded.

strUserCN = request.form("cn")
strNewPassword = request.form("newpass")
strPassVerify = request.form("passverify")

if strUserCN="" then
response.write "<html><head><title>Change Password</title></head><body>"
response.write "<center><h1>Web Password Reset</h1></center>"
response.write "<hr><br><br><form method=post action=changepass.asp><table>"
response.write "<tr><td>CN: </td><td><input type=text name=cn></td><tr>"
response.write "<tr><td>New Password: </td><td><input type=password name=newpass></td></tr>"
response.write "<tr><td>Verify Password: </td><td><input type=password name=passverify></td></tr>"
response.write "<tr><td colspan=2 align=center><input type=submit value='Reset Password'></td></tr>"
response.write "</table></body></html>"

if strNewPassword = strPassVerify then

set usr = GetObject("LDAP://CN=" & strUserCN &

usr.put "userPassword", strNewPassword

response.write "<html><head><title>Results</title></head><center><h1>Update
response.write strUserCN & ": password was successfully updated" response.end


response.write "<html><head><title>Error!</title></head><body>"
response.write "<center><h1>An Error Has Occurred!</h1></center>"
response.write "<hr><br><br>"
response.write "The password and confirmation do not match. Please go back and try again."

end if
end if

Windows Server 2003 provides its own Web pages for password changes, which I discuss in the FAQ "Does Windows Server 2003 provide a way to let users change their passwords remotely on the Web?". However, you might find the sample ASP script useful for creating password-change interfaces on your own Web pages or sites."

Return to the 'home page

Return to the 'computer index page'