Require login to access a website.

Discussion in 'Web Design and Development' started by bmcgonag, Jun 27, 2007.

  1. bmcgonag macrumors 65816

    bmcgonag

    Joined:
    Mar 20, 2007
    Location:
    Texas
    #1
    How would I go about requiring a login in order to access any page but the home page or open section on my website? I hate to say this...but kind of like the adult web sites that have the home page (warning) page, and maybe "tour" pages, but require a login to gain access to main material?

    Thanks,

    Brian
     
  2. SC68Cal macrumors 68000

    Joined:
    Feb 23, 2006
    #2
    The way that I'm familiar with is having a database full of users, and create a login page. As long as they have a correct login, they can run the application, otherwise all they see is a blank page, if they try and access the URL.
     
  3. bmcgonag thread starter macrumors 65816

    bmcgonag

    Joined:
    Mar 20, 2007
    Location:
    Texas
    #3
    I comprehend what you are telling me here, but is there any sample code, or a software set that will help me do this?

    Thanks,

    Brian
     
  4. SC68Cal macrumors 68000

    Joined:
    Feb 23, 2006
    #4
    Your best bet is a book like PHP & MySQL For Dynamic Websites, by Peachpit Press if you don't know any of the PHP and MySQL and you're starting from scratch.
     
  5. bmcgonag thread starter macrumors 65816

    bmcgonag

    Joined:
    Mar 20, 2007
    Location:
    Texas
    #5
    I now some PHP and MySQL, but I'm just not sure how to force a site to go to the homepage, even if someone tries to direct link to a different page.

    I'm sure that's somewhere in the PHP, so I'll check it out. Thanks.

    Brian
     
  6. werther macrumors regular

    Joined:
    May 15, 2006
    #6
    The answers to your questions are all in the book that SC68Cal suggested. I bought that book about a year ago and it has proven to be a very valuable resource. The author (Larry Ullman) recently came out with a new book (PHP 5 Advanced) which I have yet to buy but definitely intend to.
     
  7. jng macrumors 65816

    jng

    Joined:
    Apr 6, 2007
    Location:
    Germany
    #7
    If you want them to share a username/password, you can just use an htaccess and an htpasswd file. Secure and no real coding involved. Google the two terms for more simpler tutorials than the docs I've linked to.
     
  8. djbahdow01 macrumors 6502a

    Joined:
    Jan 19, 2004
    Location:
    Northeast, CT
    #8
    You could always password protect a directory. Its what I do for folders on my server that I don't need anyone getting into. You can even do it for the main directory where the index.html file is located.

    Then again it all depends on the features that your hosting company has given you. I am running cpanel for my control panel and it offers a lot of great things.
     
  9. CoreWeb macrumors 6502

    Joined:
    Mar 2, 2007
    Location:
    Edge of reason
    #9
    The gist of it is that you have one file, say "authentication.php", which checks to make sure the user is logged in, and if they aren't, redirects to the login page. Then, in every page which requires authentication, you would include this authentication script.

    Here is a (very) simple example:
    PHP:
    All files requiring authentication
    <?php
    include "authentication.php";
    /* Other content here */
    ?>

    Authentication.php:
    <?php
    /* Check if user is authenticated */
    session_start();
    if (
    $_SESSION["logged-in"]){
        
    /* The user is logged in */
    }else{
        
    /* The user is not logged in */
        
    header("location:/login.php");
        
    /* Now kill PHP to prevent further processing */
        
    die();
    }
    ?>
    The above is extremely simplified, and is just meant to give you an idea of what needs to be done. More things should, theoretically, be added to make it more secure.

    The actual login process is more complicated, but there are tons of tutorials online on how to do this. I'd recommend, however, that you use several security measures, including some of the ones in the following example:
    PHP:

    /* Storing a password */
    function set_password($user_id$password){
        
    mysql_query("UPDATE USERS SET PASSWORD = '" mysql_real_escape_string(md5($password))
        . 
    "' WHERE USER_ID = " intval($user_id));
    }

    function 
    login ($user_name$password){
        
    $users mysql_query("SELECT * FROM USERS WHERE " .
            
    "USER_NAME = '" mysql_real_escape_string($user_name) . "'" .
            
    " AND PASSWORD = '" mysql_real_escape_string(md5($password))
        );
        if (
    mysql_num_rows($users) > 0){
            
    /* Login was a success! */
        
    }else{
            
    /* Invalid login! */
        
    }
    }
    1. The password is encrypted in one-way encryption. See PHP's md5 documentation
    2. Input strings are escaped using mysql_real_escape_string to prevent SQL injection (for example, an attacker using "' OR TRUE" as a user name causing login to always be successful
    3. Using intval() to ensure that the value for user_id is a number, and not other text.

    Keep these security concerns in mind.
     
  10. bmcgonag thread starter macrumors 65816

    bmcgonag

    Joined:
    Mar 20, 2007
    Location:
    Texas
    #10
    Great Info! I have actually had to do similar things in Perl a long time ago, but good to be refreshed on it.

    thanks,

    Brian

     
  11. SC68Cal macrumors 68000

    Joined:
    Feb 23, 2006
    #11
    Great bit of code Core, thanks for laying out in code what I was only motivated enough to explain :D.

    My one suggestion:

    Use the bottom example that uses a SQL database, because having just a $_SESSION variable named "logged_in" being set isn't as secure as I'd like, since it seems you're just seeing if it actually exists in the SESSION array. A more secure setup for the first example would be to have "logged_in" as a boolean value, and assign it TRUE and FALSE.

    I'd recommend using the second example, because as you scale up the SQL database will be much better, and will let you do lots of cool things in the future.
     
  12. CoreWeb macrumors 6502

    Joined:
    Mar 2, 2007
    Location:
    Edge of reason
    #12
    Thanks. It was a quick bit of code though, and I didn't test it.

    As for the $_SESSION checking, I ran into that problem once, I think (though I may be remembering incorrectly). I think PHP was not clearing the memory allocated for the $_SESSION variable, so an uninitialiszed $_SESSION variable could evaluate as true.

    I therefore usually use something more similar to:
    PHP:
    if ($_SESSION["logged-in"] == "LOGGED_IN"){
        
    //logged in
    }
    The chances of the uninitialized variable being "LOGGED_IN" would probably be very low.
     

Share This Page