Best way would be to use a database ... SQL or mySQL.

You can store everyone's User/Pass in the DB, and create a session variable at your login page to keep the user logged in.

On your login page, take their Username and Password (MAKE SURE you strip out ' and " before you send it to the database) and do a SELECT something FROM Logins WHERE Username = 'theusername' AND Password = 'thepassword'). If records exist, its a valid user/pass - create the session and redirect them. If no match, show them an error and don't create the session.

Then, using an include, check for the session on every page you want to protected. If the session is valid, show do nothing. If the session doesn't exist, redirect the user to a noaccess page.

It can be really simple ... make the session called "LoggedIn" and set the value to true.

Then (I'm an ASP guy, not PHP but I'm sure the method in PHP is similar) put an include at the top of EVERY page you're protecting that contains something to the effect of :

If Session("LoggedIn") <> True Then
' redirect the user to no access '
End If

Thanks Digitalv
That looks nice and straight forward.

Is it necessary to have some checking code on every page in the members area?
e.g. with .htaccess I only require the .htaccess file once in the appropriate folder, and the folder may have any number of pages.

I just want to be sure before I set off down the road of creating a password facility that I'm taking the most practical and common approach.

try this. it uses the PHP headers for HTTP authentication. Put this code in a file called "authenticate.php", then just include it at the very top of every page.

You need to alter this code to access your own database (create a mysql commection) and define the "realm".

authenticate.php
----------------

<?php
//
// create a connection to your mysql database
//
if(!isSet($PHP_AUTH_USER)){
  Header("WWW-Authenticate: Basic realm=\"myrealm\"");
  Header("HTTP/1.0 401 Unauthorized");
  echo "Canceled by User\n";
  print("<script>history.go(-1);</script>");
  exit;
}else{
  $query="SELECT * FROM passwords WHERE UID='".$PHP_AUTH_USER."'" AND PWD='".$PHP_AUTH_PW."'";
  $result=mysql_query($query);
  $authentic = (mysql_num_rows($result)>0)
}
if(!$authentic){
  Header("WWW-Authenticate: Basic realm=\"myrealm\"");
  Header("HTTP/1.0 401 Unauthorized");
  echo "Incorrect Password";
  exit;
}
?>

The session is really a much better way to go than .htaccess anyway. Think about it ... when was the last time you went to a site where the login box popped up? All of your popular sites are database-driven where the user logs in through a web form.

You would need to include the "check session" code on every page you want to protect, there is no way around that. Granted .htaccess is "easier" because you can just protect an entire directory and drop whatever you want into it, but it has its limitations as you're discovering :)

A database is the next logical step. Once you've got this concept down for your site, you'll find there are all sorts of things you can do with your users when logged in. From simple things like "Welcome back, so and so" to a history of what they've done on your site, etc. You can go far beyond basic authentication.

Thanks digitalv and httpwebwitch

...A database is the next logical step. Once you've got this concept down for your site, you'll find there are all sorts of things you can do...

I'm getting used to the idea now.

How does .htaccess keep track of who has entered a password? It doesn't use a cookie, what does it do?

In the HTTP Authentication. (rfc2616 [ietf.org], rfc1617 [ietf.org])

Wow thats a lot to take in!

Is there a way to use the same kind of system used by .htaccess AND have:
- members able to get an email reminder,
- members able to update their password?

or can that ONLY be done with code on every page to check the visitor?

Sure, you can read and write to an .htaccess file, but using .htaccess files is minimal security, at best. It's great when you first get started, but sooner or later you are going to want a more robust solution. You don't have to write new code to put in the top of every access page, you simply include the script that does that for you on those pages that require authenticated access. A quick search on this site will bring up loads of information and links to tutorials.

in reality, with a little work, PHP can be just as simple as a .htaccess pass protection system
write a php script that is accessed like this pass.php?page=<page to protect>
ex:
if (/*signed in*/) {
header("location:$page");
} else {
//login script
}
then make a .htacess file that redirects any page request to pass.php?page=
ex:

RewriteEngine on 
RewriteCond %{REQUEST_FILENAME} -d 
RewriteRule ^(.+[^/])$ %{REQUEST_URI}/ [R,L] 
RewriteCond %{REQUEST_URI}[add space here]!^(pass\.php$¦.*/$¦index\.php$) 
RewriteRule (.*) pass.php?page=$1 [L] 
RewriteCond %{REQUEST_URI} ^(/$¦$) 
RewriteRule (.*) index.php [L]