Usernames and Passwords that lead to different pages

[design-is]

Hi all

I did a little search and have tried to find out myself via other means, but have thus far had no luck!

Is there a way to have it so when a link is clicked, it brings up a username and password dialogue & the username and password entered dictates which folder or page the user is directed to?

Thanks for any help

Doug

 

[angelwatt]

There's a couple ways to go. If you need to do it client-side, then JavaScript will help out, though you'd likely want a back up way for those with JavaScript disabled. If you do things server-side PHP can help us.

With JavaScript you can redirect to a page using:

location.href = "thispage.html";

With PHP you redirect by:

header('Location: thispage.html');

These are the essential pieces anyways. I'm not sure how you have your data stored, like if you're accessing a database to match username/password pairs, or what. I'm also not sure if you need help with a pop-up for the dialogue (though make sure it doesn't depend on JavaScript since some have it disabled). Or are you trying to find a downloadable script that does everything for you?

 

[design-is]

Sorry I wasn't very clear...

I currently have a page of links that lead to personal pages for clients protected using an .htpasswd. So from my homepage there is a client login link which leads to this page. They then select their link and the default password box from the browser pops up - leading them to their page for proofs etc.

I am thinking about a re-design and would much prefer to have the client login button open the password dialogue from the browser and have the page it leads to dependant on the username and password entered. I don't know if this is possible. I just want to find a way that means I don't need to list all the clients on a publicly viewed page.

I hope that makes more sense.

 

[SrWebDeveloper]

There are lots of ways to do this. I'l discuss concept, not code, for now.

Here is one method which is very secure, requires Apache, and 100% server side authenticated so no issues with Javascript or hacking or XSS (Cross Site Scripting) issues:

1) Make the link go to a unique folder with a script in the language of your choice named, say, "/special_access/process-login.php" for example
2) Set your Apache to password protect the "/special_access" folder, create as many names as you want via .htaccess with associated passwords:

How to do that, including password encryption and great tutorial

3) Once the user authenticates, the process-login.php script runs, it will pass the login username as a variable to a switch or if/then/else type of function that redirects to specific pages based on the username.

BTW, in PHP you can detect the login username that the user typed in by doing something like this:[FONT=Verdana, Arial, Helvetica][/FONT]

$auth_username = $_SERVER["REMOTE_USER"];

If that server variable does not exist, password protect a page that runs phpinfo() and search for the username and use that variable instead.

If you do not run Apache, see if your web server can password protect in a similar manner and if you can access the username info via server side code.

If there is NO way to do this via your web server, then you will need to install or write a login function in the language your server supprts which protects the page and allows access to the username in memory. But make sure any third party script doesn't use cookies or Javascript in any way to handle login - you only want to deal with sessions and server side processing to maximize security.

An integrated login environment in PHP is pretty easy to do these days, using session control with minimal cookie use, such as this one.

Hope these concepts gave you ideas. I'm sure others might have some cool suggestions also, just keep security in mind as you make your final decision.

-jim

 

[design-is]

Thanks for your help!

I think this could be a little over my head right now... but you never know until you try, so I'll see if I can figure it out over the weekend

Server supports Apache as far as I'm aware, so that shouldn't be a problem.


Thanks again

Doug

 

[SrWebDeveloper]

Here's my method in code, all examples:

1) The Link

<a href="/special-access/process-login.php">Login Here</a>

2) In /special-access/.htpasswd (3 users with MD5 passwords each, created using the links in the help page I included earlier)

bob:ps29cmnwl4a0e
sam:kjcmsaas4a0et
joe:aawscmnwl2a1e

In /special-access/.htaccess

AuthUserFile /full/path/to/special-access/.htpasswd
AuthType Basic
AuthName "Private Area - Login Required"
Require valid-user

3) In /special-access/process-login.php

<?php

$user=(isset($_SERVER["REMOTE_USER"])) ? $_SERVER["REMOTE_USER"] : "";  

switch (lcase($user)) {

case "bob":
header('Location: bob.html');
break;
 
case "sam":
header('Location: sam.html');
break;

case "joe":
header('Location: joe.html');
break;

default:

// What to do when username is not recognized, put that code here

}

4) And of course put the 3 html files, bob.html, sam.html and joe.html inside the special-access folder as well in this simple example.

Hope it doesn't seem so hard, now. You get the idea, right?

-jim

 

[design-is]

Thanks Jim, your nothing less than a star!

I'll report back when I have it up and running (or if I get stuck)

 

[design-is]

I'm sorry to say, I'm having problems.

I have little php knowledge, so can't say why - so thought it best to seek advice. Using the code above...

My login.php:

<?php

$user=(isset($_SERVER["REMOTE_USER"])) ? $_SERVER["REMOTE_USER"] : "";  

switch (lcase($user)) {

case "name":
header('Location: page.html');
break;
 
default:
header('Location: ../index.html');
break;

} 

?>

I get this error:

Fatal error: Call to undefined function: lcase() in /path/to/the/login/php/login.php on line 5

Any help greatly appreciated...

Thanks

Doug

 

[angelwatt]

Replace lcase with strtolower.

 

[ChrisA]

switch (lcase($user)) {

case "bob":
header('Location: bob.html');
break;

So how do you add a new user? You have a sign up page? Does the "switch" scale to more then a handfull of users? This might work if you have 6 or 8 users but not for 1,000. or even 100. I think you would need to keep the mapping from user name to URL in some kind of persistant storage. A database would be ideal but even a file could work. You really do not want tohave to change the server side code just to add a user

 

[SrWebDeveloper]

Sorry, I mixed up my languages!

@ChrisA:

Obviously this method uses a manual editing of .htpasswd/.htaccess for a few users only which the OP would create using the link I provided for creating the .ht* files. I already mentioned in a previous reply information to the OP about a far more advanced integrated login implementation, I even included a link for that. The OP has not yet said this method is beyond their needs, so as I said in the beginning, this is one concept of many. If they need something more powerful and scalable, we'll talk about CMS's and other options at that time. I try not to deluge the OP with too much, let's let the conversation flow naturally and see what happens.

-jim

 

[design-is]

Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 2_1 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5F136 Safari/525.20)

Thanks guys

This method is perfect for the time being I don't intend on having many users and don't want people to be able to sign up. It's just for creating secure areas for clients to see proofs and bits like that.

I'm trying to learn the basics too, so I don't skip things I should know.

I'll let you know how it goes!

Cheers

Doug


-EDIT- Works great thanks

 

[SrWebDeveloper]

Awesome, please let me know if you need anything else. Cheers.

-jim

 

[GoGoComputerz]

Please Help

I've done all the above steps, but whenever a user goes to log in, it never takes them to the designated page. It just keeps showing the login box over and over. Any Ideas?

 

[angelwatt]

I've done all the above steps, but whenever a user goes to log in, it never takes them to the designated page. It just keeps showing the login box over and over. Any Ideas?

Show your code.

 

[GoGoComputerz]

My Link
<a href="/special-access/process-login.php">View Your Design</a>

process-login.php
<?php

$user=(isset($_SERVER["REMOTE_USER"])) ? $_SERVER["REMOTE_USER"] : "";

switch (strtolower($user)) {

case "dallmon":
header('Location: dallmon.html');
break;

case "jteague":
header('Location: jteague.html');
break;

default:
header('Location: failure.html');

}

?>



.htpasswd

dallmonassword
jteagueassword


.htaccess

AuthUserFile /special-access/.htpasswd
AuthType Basic
AuthName "View Your Designs!"
Require valid-user

 

[angelwatt]

.htaccess

AuthUserFile /special-access/.htpasswd
AuthType Basic
AuthName "View Your Designs!"
Require valid-user

OK, the problem looks to be with your .htaccess file. The line that starts AuthUserFile has to have the full path address to the file, not just from the root directory of your web site. So, you'll have something like /home/username/yourdomain.com/special-access/.htpasswd.

Also, in case that's not all that's a problem, make sure you created the .htpasswd file correctly using a command like below:

htpasswd -c /usr/local/apache/passwd/passwords username

taken from, http://httpd.apache.org/docs/2.0/howto/auth.html. You cannot create the file by hand, you must use the htpasswd command.

Edit: As an additional note, you should really store the htpasswd files somewhere where it's not visible to the public (say you can't put a URL to it) otherwise it's a security issue. It should be placed in a folder outside the main HTML folder (like the yourdomain.com folder I reference above).

 

[GoGoComputerz]

I'm sorry, I'm new at all of this. I've read the entire page that you linked to in the post, but I can't figure out how to use the command to create the new page. Where do i put that command code?

 

[angelwatt]

I'm sorry, I'm new at all of this. I've read the entire page that you linked to in the post, but I can't figure out how to use the command to create the new page. Where do i put that command code?

Open Terminal (/Applications/Utilities/Terminal) and do the commands there. The file you create with the command will need to be uploaded to the web server as well so be sure to save it somewhere you can get to. This page may be easier for you to follow.

 

[GoGoComputerz]

Also, a question I have, is if I password protect the directory from within my file manager on my server, how can I code a file to allow different users to go to different pages.


For instance....


the folder with my web server is

/proofs/

and it will be password protected...


inside that folder will be

dallmon.html
jteague.html

etc.


I want to have the specific users go to there specific pages.



Is that possible?

 

[angelwatt]

I want to have the specific users go to there specific pages.

Is that possible?

That's what the PHP part was for.

 

[GoGoComputerz]

How can you code a log-out button?

 

[angelwatt]

How can you code a log-out button?

When using this password protection there is no logout, it's one of the downsides. The "login" last while the browser is open, or may expire after a couple hours, but it isn't a true login, it's a password protected folder. That's why you can't logout, because you never really logged in. You would need to use a PHP-based login system if you want a managed logout, but that's going to be a more involved setup. There are tutorials out there though if you search for them.