> how did you protect pages other than the login page

The last time I did this, I dropped a cookie once the user had been validated, and every protected page checked for this cookie and denied access if it wasn't present or valid.

> .htaccess method, I have to believe the web server creates a variable

Unfortunately, I don't think it does. The only solution I've come across (using apache) is to plug your own script into the authentication process and determine the user from there - this page [modperl.com] may give you some ideas

I found implementing your own authentication method can be quite steep at the beginning, because you need to plug the authentication code into every script, but it can be quite rewarding later on. It allows you to be more flexible on implmentation, and it does not limit you to authenticate against MySQL and PHP! There are also other applications as well, for example one of my site exports its authentication function via XML-RPC, so that my other related sites can authenticate their users using the same user+password database, without them being even on the same server! Lots of applications there...

If you are fortunate enough to have access to Apache, there are some authentication modules that are flexible as well, especially those authenticate against external scripts. If you wish to have .htaccess style of security (and convenience) but have flexible auth agent, then these are the ways to go. I use mod_auth_any [itlab.musc.edu] myself, and I found it quite easy to use and write external plugin with.

With HTTP authentication (.htaccess method), on PHP you can use server variables $HTTP_SERVER_VARS['REMOTE_USER'] to find out the username of the authenticated user. I think it is the same with CGI scripts, but they will be stored as environment variables.

Scotty,
I'd love to receive a sticky mail from you regarding your implementation of XML-RPC for security. I'm about to dig into this technology for news feeds and you got my attention with using it for security.

Hey Lorax,
I use PHP & MySQL over Apache htaccess because I never really understood how htaccess worked.
So what I do is, at the login page, set a session variable with data from the user, like the name, some user id and other relevant preferences you might set for each logged user (language, gender, etc.), I even include the session id itself.
Then, every additional protected page includes a PHP script that checks that all these values exist, it even checks that the session id is equal to the curren session the user has. If one of the variables is not there, the user is sent to the login page.
It tured to be pretty easy to mantain lots of pages under this scheme.
If you like I can send you the files so you can experiment on it.
Hope this helps.

Oh! and about tracking... I include a PHP script that when a page loades, it saves user data (from the session variables set at login) and the url loaded.
You could save other data like IP, browser, etc. it depends on what is your goal.
Later on, you can make a script that analizes the database to determine where and what a user went and did.

hey transistor,
I would like to see that file if you dont mind. I am fixing to have to implement a log in system for a very small number of people and I need it to be through PHP MySQL.

Thanks folks,
In the end, I opted to go with .htaccess because I found that my php/MySQL code took a half second to realize the visitor wasn't authorized before sending them to the login page. In that time, the visitor was allowed to see the page they tried to load. I've never had this problem with the .htaccess method since it's directory security as opposed to file security - though, now that I've said that, I wonder if I could implement directory level security using PHP.

That's curious Lorax, because I have never had that problem and I don't have a particularly fast server or anything.
I don't know what your code might look like, but in my case, if the user is not authorized is sent to the login page with a header"location: index.php");
and the next line has an exit;
I don't think it is possible for the page to continue loading if there is an exit right next to the header (and assuming the authorization script runs right at the top of the page before anything else). This might be the problem in your script.
Anyway, there's always more than one way of getting somewhere :)
cheers!

Hey transistor,
Well, you may have nailed the problem I was having for me! I wasn't executing this method quite the way you describe. In fact I'm too embarrased to admit the method I used. Suffice it to say I'll check into this method from your approach. Danke.