Welcome to the MacNN Forums.

swiz · Jun 26, 2002, 08:53 PM

I need to know what is the easiest method of allowing a user to enter their username and password via an html form to access their own customer account. The pages are not dynamic, they are built manually by me so I just need to send them to the page from the websites homepage. There are about 50 customers and I want them to all be able to login from the same form. Please tell me whether i can do this solely with html or PHP, or ASP or what? thanks.

Simon Mundy · Jun 27, 2002, 12:22 AM

I'd like to know, too!

I know you can protect your folders with .htaccess in Apache, but firstly it gives the ugly and insecure authentication box and secondly you can't set basic authentication within PHP to allow you to redirect a user to another folder protected with another .htaccess file. You can only test the values of the login and password, and that really isn't that much help.

A better (but more time consuming) way is to add a custom authentication script to the header of each page. This way you set up a single login page that redirects each customer to their own folder and you can (for example) test their login on each page. In PHP for example:

[?php if ($loginname=='customer1' && isAuthenticated()) {
?] print "You're allowed to see this page" [?php }
else {
redirectToLoginPage();
}
?]

So if you've written some functions that access a database (like MySQL) and can test some session variables against that database, you can authenticate each page for each customer. There's a lot of great info at <a href="http://www.zend.com" target="_blank">http://www.zend.com</a> about this kind of thing, and they can explain it a lot better than me!

BUT (and there's the rub) if the pages in your customers' sites are just pure HTML pages, there's no way you can insert a script in them to authenticate them like this. You can only use the .htaccess method. Which really sucks, bigtime. It means you can only, say, give them a URL to access (like I do) - "www.test.com/client1/", "www.test.com/client2", etc. And then individually protect each folder.

Can anyone else shed some light on this dilemma?

philzilla · Jun 28, 2002, 05:25 AM

i had to do this with asp once (yes, i know, but i was forced into using an NT box), which called the member name/password from a database. it worked fine, but that's the last time i used asp for a site.

if you look <a href="http://cgi.resourceindex.com/Programs_and_Scripts/Perl/Password_Protection/" target="_blank">here</a> and <a href="http://php.resourceindex.com/Complete_Scripts/User_Management/" target="_blank">here</a>, you'll find cgi & php resources, which should give you what you want.

i would imagine that most of the cgi scripts work from a flat file db, whereas the php ones will probably use mysql to store the info. if you can, i'd definitely recommend the latter, but if the server you're using doesn't have php installed, the the cgi method should be fine. you can just call it from a normal html page

i probably still have those asp scripts somewhere here, so if you need them, shout me and i'll dig them out

macvillage.net · Jun 29, 2002, 10:10 AM

I would highly consider just using a .htaccess file. It's easy, and while not totally secure, provides enough security in most cases.

If you do go with a full fledged authentication system:

Either PHP or Perl would be adeqate. It really is personal preference.

You can use a flat-file DBM, or mySQL database. If you have a lot of users, mySQL would be better since you can query, whereas flat-file the whole file is loaded into RAM and searched.

It's basically a matching game:

a form uses POST to submit a $username and $password...

<blockquote>code:<hr /><pre style="font-size:x-small; font-family: monospace;">search database for $username...
if found, match $password with $password...
if failed "wrong password"...
if found (redirect via header's Location: option"
if not found "not valid user"....
</pre><hr /></blockquote>It's not very complex. By using a connection over https: you provide encryption for transmission of data (just replace http: with https

You can encrypt data in the database such as passwords using crypt() (or appropriate function)... if you do, save to database the encrypted data, then take whatever the user entered password is, encrypt it, and match... if it's the same, the password works.

Raman · Jun 29, 2002, 08:59 PM

If you want to do it with asp or asp.net then reply. I use asp and asp.net all day on a real extranet (vs. some of these guys who dabble with php an mysql because its not microsoft, and don't know the difference between authentication and authorization).

-Raman

swiz · Jun 29, 2002, 09:53 PM

<blockquote>quote:<hr />Originally posted by philzilla:
i had to do this with asp once (yes, i know, but i was forced into using an NT box), which called the member name/password from a database. it worked fine, but that's the last time i used asp for a site.

if you look <a href="http://cgi.resourceindex.com/Programs_and_Scripts/Perl/Password_Protection/" target="_blank">here</a> and <a href="http://php.resourceindex.com/Complete_Scripts/User_Management/" target="_blank">here</a>, you'll find cgi & php resources, which should give you what you want.

i would imagine that most of the cgi scripts work from a flat file db, whereas the php ones will probably use mysql to store the info. if you can, i'd definitely recommend the latter, but if the server you're using doesn't have php installed, the the cgi method should be fine. you can just call it from a normal html page

i probably still have those asp scripts somewhere here, so if you need them, shout me and i'll dig them out<hr /></blockquote>Im using MySQL and PHP, Ive actually located a script set which does everything I want EXCEPT, it redirects all users to the same URL whereas I want it to redirect them to their personal page. The script uses a header string like this :
Header("Location: $psl_starturl?".SID);
...the $psl_starturl references a single URL in the config file.
Ive got a column in my DB titled "URL" and have tried switching the header string to:
header('Location: '$username['URL']");
and I also tried
header('Location: '.$username['URL']);
with no luck yet. Any advice?

BTW, thanks for the link to the PHP Resource index, Ive been a huge fan of the CGI Resource for a long time and never knew there was one for PHP.

[ 06-29-2002, 10:57 PM: Message edited by: swiz ]

neoTony · Jun 30, 2002, 09:04 PM

<blockquote>quote:<hr />Originally posted by Raman:
If you want to do it with asp or asp.net then reply. I use asp and asp.net all day on a real extranet (vs. some of these guys who dabble with php an mysql because its not microsoft, and don't know the difference between authentication and authorization).
<hr /></blockquote>Chip on shoulder much? Yeah, there's a lot of dabblers - it's what makes the web so much fun - it doesn't make them less intelligent, or undeserving of you posting tips back here. The theory behind any page-based authorisation mechanism should be the same between languages - it's just the code that's different. Anyone who thinks one dynamic display language is better than another has some learning to do - often the underlying architectures/servers have problems, but the most you will get out of any of these languages is a way to display data to the web.

Go look @ macromedia's dev exchange or do a google search for authorisation schemes in your language of preference. I think other ppl here have covered this topic quite well, but if you're looking @ doing this properly, there are a lot of issues to do with security (ie. URL encoded vars vs. cookie-based vars, etc.) - and you can build a sufficiently secure setup without resorting to ssl (although it's fairly trivial matter to setup ssl on most webservers these days).

Anyhoo, now I'm just getting argumentative - I just didn't want anyone to getting the impression that one language was better than another for something this simple.

Vasudevelopa · Jun 30, 2002, 09:53 PM

<blockquote>quote:<hr />Originally posted by neoTony:
there are a lot of issues to do with security (ie. URL encoded vars vs. cookie-based vars, etc.) - and you can build a sufficiently secure setup without resorting to ssl<hr /></blockquote>Some questions regarding security:
1) Using PHP/MySQL is there a safe way to get credit card no.'s w/o SSL? Could you use the built-in password() encryption function on a credit card no.?
2) Say you have a web host set-up for SSL, do you just need to call your pages/scripts that get the credit card with https? Or is there more to it?

neoTony · Jun 30, 2002, 10:41 PM

<blockquote>quote:<hr />Originally posted by Vasudevelopa:
Some questions regarding security:
1) Using PHP/MySQL is there a safe way to get credit card no.'s w/o SSL? Could you use the built-in password() encryption function on a credit card no.?
2) Say you have a web host set-up for SSL, do you just need to call your pages/scripts that get the credit card with https? Or is there more to it?[/QB]<hr /></blockquote>I wasn't really referring to CC transactions/information. You really would want to use SSL for that. For a standard user login, it really isn't necessary, but when you're dealing with money....eek! SSL or nothing - it just wouldn't be worth the effort to try encoding the CC number - you'd have to do it @ the client end using javascript if you weren't using a secure connection, and even then, you'd have to use some form of md5 or hashing algorithm....not worth the effort when you oculd just switch on SSL on your server.

AFAIK, (at least in the limited work I have done with SSL), once SSL is running, any communication between the browser and the server is secure. Of course that doesn't cover any communication you may then make between the server and your db, or another server. Switching on SSL, and referencing the page with a <a href="https://www.something.com/page.jsp" target="_blank">https://www.something.com/page.jsp</a> instead of a <a href="http://www.something.com/page.jsp" target="_blank">http://www.something.com/page.jsp</a> should be sufficient.

[ 06-30-2002, 11:45 PM: Message edited by: neoTony ]

Simon Mundy · Jun 30, 2002, 10:56 PM

<blockquote>quote:<hr />Originally posted by Raman:
If you want to do it with asp or asp.net then reply. I use asp and asp.net all day on a real extranet (vs. some of these guys who dabble with php an mysql because its not microsoft, and don't know the difference between authentication and authorization).

-Raman<hr /></blockquote>You're right. What was I thinking trying to help this guy out?

ilukas · Jul 10, 2002, 03:37 AM

<blockquote>quote:<hr />Originally posted by neoTony:
AFAIK, (at least in the limited work I have done with SSL), once SSL is running, any communication between the browser and the server is secure. Of course that doesn't cover any communication you may then make between the server and your db, or another server. Switching on SSL, and referencing the page with a <a href="https://www.something.com/page.jsp" target="_blank">https://www.something.com/page.jsp</a> instead of a <a href="http://www.something.com/page.jsp" target="_blank">http://www.something.com/page.jsp</a> should be sufficient.[/QB]<hr /></blockquote>If i stored a CC number on a MySQL db starting from a SSL-enabled script, it would still be safe because the info is staying in the same hard drive where the script was loaded in the first place (the server).

don't you have to have a secure certificate from either Verisign or Thawte to use SSL?

Millennium · Jul 10, 2002, 11:57 AM

<blockquote>quote:<hr />Originally posted by ilukas:
don't you have to have a secure certificate from either Verisign or Thawte to use SSL?<hr /></blockquote>You don't have to, per se. You can make your own self-signed certificates. However, people aren't as likely to trust you. Browsers know Verisign and Thawte, and will alert the user if you don't have a cert signed by them. However, the user can still browse your site if they want to.

In practice, though, it's better to get a secure cert if you can. That way your users' browsers won't keep warning them. That tends to annoy users.