I've got a website that I'm trying to get online. The content has been done for about 10 days and I'm working on the technical aspect of getting the credit card processing working.
It has both a guest area and a member's area, and for the members area I'm trying to set up what I'm calling a "Password gateway." That's the part where a form is displayed on the screen that says something like "Choose a username, Choose a password, reenter password," and so on.
And then another form comes up and says something like "Enter username and password."
And as I was thinking about possible solutions, one significant possibility came to mind. And I'm sure a small percentage of people have tried this on other sites.
What if a user's membership expires and the home page of the member's area has been bookmarked. What's to stop the user from going to the member's area via a bookmark?
Normally, I set a cookie with the user's username. All pages in the member's area check for the cookie and redirects to the logon page if not found. One possible method is to set the membership expiration date as the cookie expiration date. (However, if the user cancels the membership, the cookie would still be valid and allow the user to continue to have access.)
As a secondary check, you can query your database using the cookie to verify that the membership has not expired. However, that means an extra hit to the database every time a member's-only page loads. (Depending on your application server, you might be able to cache those queries to cut down on the overhead.) If it's not a lot of pages, the overhead may not be too bad.