Five important variables you need to know when you develop a login page:
1- If you restricted area will work only with some browsers you should take that into account when you develop a login feature. For example, if you restricted area development has limitations with Opera or with Internet Explorer for mac, you should avoid giving access to users that are trying to login with those browsers - instead showing a message with the list of browser they can use to have full access to your back office.
2- Password protected against unauthorized people is another item. There three ways to save a password into a database.
a) as plain text (100% insecure)
b) two way encryption, that means the password is encrypted in the database and when the user wants to recover it - they will recover the same password using a programming feature to decrypt of the password. This is a better option than the one I mentioned above, but still allows to unauthorized people to use the programming skills to get the password.
c) The password is stored in one way encryption, this is the most secure way to store a password since there is no way to recover the same password.
In this scenario when the user forgets the password, it is recovered by doing an extra programming. The user clicks the link "forget my password" and is taken to a page where the user is asked for his email. If the email matches the one stored in the database, a link with a code that is generated automatically that the user can use to reset the password is sent to their password. When the user resets the password he has to validate his email and there there is no way for an unauthorized person to crack into an account.
3- Is also important that the information (user name and password) is validated in a secure server (ssl)
4- Another thing you should consider is the "Log Out". For example you can store the login information in his computers as a cookie. If you do that you
should consider storing that information in a way is not human readable, since a cookie can be readed easily from any computer. The best way to create a secure membership site to set up the cookie to expire when the browser is close. According, so every time a user logs in it has to put their username and password. Doing this you make sure that if a user does the login using a public computer nobody can get access after that user leaves the computer since the cookie will expire when the user closes the browser, (that was a major problem with hotmail in his earlier years)
5- Also is important to consider that every page that is behind the membership is a automaticaly redirect to the login page if password and username doesn't match. There are many ways to bypass a login access page for someone with programming knowledge if this measure is not take into account.
I hope this help someone that is the process to develop a membership website.
Have a good day!