Currently , I allow users to login from a log in screen
then I check it against a database. Once record is found,
then I set a session variable (Authenticated = 1). Then
throughout the website if that session variable is present
then they can get in the administrative pages.

My question, is how secure is that? And is that the best
method for loggin without using Windows AUthentication?

If that is not the best, what or how is? Lastly, how can
you set it up for multiple levels of authentication.

Thanks in advance,

I don't know how secure it is, but I use that on an intranet site that isn't
exposed to the Internet.

I use multiple levels by using different numbers other than just 1. An Admin
login would set the "Authenticated = " to 100,...a simple regular user would
be 50. I just arbitrarily picked the numbers and they are included in the
DB record with the User account. You can change the access level of the user
by changing that number in their DB record. When they login and you match
their login to a DB record you simply pull that number from thier record.
the record might only be three fields: Username, Password, AuthLevel

The page they happen to be viewing behaves as it should by testing the value
to the authentication level.


--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


[quoted text, click to view]