I'd like to have a login page on my site - very basic (no database if possible, but I have MySql if needed). The purpose is to allow a handful of special users to download documents from the site. The documents are uploaded each week to a separate directory for each client, and all the users really need is a directory listing.
My service provider offers htaccess, but that does not let me use a login page. Currently, I have a basic html form on a login page that will accept username and password - but where do I go from here?
I can program in PHP and know MySql well enough (though I'd prefer a file-based system), but not sure how to set up authentication. It would be nice if I could get the form to post to htaccess somehow and automatically take each user to his corresponding directory, but I'm not sure this is possible. Any suggestions appreciated! Thanks.
effusionx1
08-19-2004, 08:18 AM
just how secure do you want this to be:
ie:
cookie level secure (not very)
or
SSL!!!
????:confused:
Hi and thanks for the reply. The login page I currently have uses SSL encryption, which should prevent most honest people from sniffing my user's credentials. The question is how do I construct the mechanics of authenticating a particular username and password and then taking the authenticated user to a particular directory or page - that only he can go to. I suppose I could write some conditional logic in PHP that, based on correct credentials, redirects the user to his private directory using header("Location: …”);
But then how do I keep non-authenticated users out of that directory?
effusionx1
08-19-2004, 09:30 AM
Ah, okay.
Well I work with Visual Basic, not PHP.
Surely you could just redirect good users to the header(location)
and then bad users to another page???
It's a LAMP site. Will be working an ASP.NET site soon enough. In any case, there must be a way to do this without reinventing the wheel.
white_2kgt
08-19-2004, 11:20 AM
Using the PHP function crypt [http://us4.php.net/crypt] you can open the /etc/htpasswd file (or any file you create using the apache htpasswd -c[http://httpd.apache.org/docs/programs/htpasswd.html] command. Then in your PHP script validate the username/password combo. Since you will be maintaining your own htpasswd file you could extend it to also include a subdirectory that you want the user to forward to. If you did that you would also need to write a frontend script to work with the file since it will contain more info than htpasswd command understands.
Having said all that it would probably be easier if you just created a table in the database with id,uname,passwd,subdir structure and read/write to the database instead of a file. All depends on if you can program db or file functions the best.
There is no way to do apache BASIC AUTH with a Form (at least none that I am aware of).
hope that helps,
-c
A db solution may be the way to go, even with the relatively few users I have. I will investigate further - any resources/links you care to share are appreciated. Again, I suspect there is a common solution I have yet to discover. I've heard of something called PEAR?? Is that some kind of module of something?
With htaccess, the user receives a popup dialog requesting credentials when trying to access a protected resource - which is different from entering credentials on a login page. AFAIK, there is no way to get an html form to post to htaccess. When the user enters his credentials on the login page, how do I process those credentials with htaccess? I don't think this can be done.
webadpro
08-20-2004, 08:43 AM
well... just create a directory for the members... and protect that directory with .access.... that way only the members will be able to go there!
Cheers!
datums
08-20-2004, 09:46 AM
Hello
Deko php/mysql would be the right way to go.
Here is a link that basically walk you through the majority of the setup.
http://www.devshed.com/c/a/PHP/Creating-a-Secure-PHP-Login-Script/
I have some code I wrote a while back that you can reuse.
I will look for it. If you need it.
Would be better to code your own so you know exactly what is going on.
Sounds promising. The devshed site appears to be down at the moment - http://www.devshed.com - but I'll check back later. There are literally millions of sites out there doing this (including webhostingtalk) so I'm sure there’s some established best practice for processing logins with php/MySql.
