1. Home
  2. Forums Index
  3. WebmasterWorld / Webmaster General 11:08 pm May 21, 2026

Forum Moderators: phranque

Message Too Old, No Replies

Best way to password-protect a site?

I have a database of subscribers and a login page, now what?

         

MichaelBluejay

5:50 am on Jul 16, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



I design websites for small retail businesses so I've never had to deal with restricting access to a site before, but today I got an inquiry from someone who wants to set up a site where users will buy a subscription and then login with a username/password to access the content -- so I need to know how to restrict access to non-subscribers. I found a payment processor that can automatically write new usernames & passwords to a MySQL database on my server. It's easy enough for me to write a Perl script to run against that database before allowing the user to continue, but how do I block users from accessing the internal URLs directly? If a user emailed a non-user a deep url from inside the site then the non-user could bypass the login page. (Yes, a user could also share a login with another user, but I won't worry about that part for now.)

I was thinking I could set a cookie on successful login, and have each and every internal page of the site include a script that checks for a valid cookie, but I'm not sure this is the best way to do it. That also wouldn't block access to image files since no script is run when accessing an image file.

This is probably old hat to many of you but it's brand-new to me. Thank you very much for your help.

smayler

1:49 pm on Jul 16, 2004 (gmt 0)

10+ Year Member



Moderator, please move the answer somewhere else if this is not appropriate place.

Here is a PHP sample for you:

All secured pages should include authorization file at the beginning: 

include_once("authorize.php");

The athorization file (authorize.php) will have code like this: 


require_once('Connections/cnDb.php');
function authenticate() {
header("WWW-Authenticate: Basic realm=\"Your site… \"");
header("HTTP/1.0 401 Unauthorized");
print("You must enter a valid login username and password 
to access this resource.\n");
exit;
}
mysql_select_db($database_ cnDb, $ cnDb);
if(!isset($PHP_AUTH_USER)){ authenticate(); }
else {
$q=sprintf("SELECT username, password FROM users 
WHERE username='%s' AND password=PASSWORD('%s')",
$PHP_AUTH_USER,$PHP_AUTH_PW,$REMOTE_ADDR);
$q=mysql_query($q);
if(mysql_num_rows($q)==0){ authenticate(); } 
}

MichaelBluejay

7:18 am on Jul 17, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



I don't need help writing the actual access script itself, that much I can do. My question is, is having an authentication script on every single content page the best way to go? I can see some problems with that, namely that images aren't protected and then I'd have to restrict those with .htacesss -- and I'm not keen on that since there often seem to be bad side effects (images can't be opened in a new window or downloaded).

I know if I used basic htpasswd authentication then that covers everything in a directory without the need to put a script on each page or specifically deny access to images, but is it appropriate to write to the htaccess/htpasswd files directly with a Perl script? I've always been wary of writing directly to any file that starts with a dot with a script....

Thanks for your help, -MBJ-

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. WebmasterWorld / Webmaster General 11:08 pm May 21, 2026