# website secure login



## tmjhayward (Jul 17, 2005)

Hello all! I have a website that currently has 11 pages. The usual home, contact us, about us, etc, will be open to anyone. However, several pages will need to be protected because users need to meet specific eligibility criteria to be able to view product information and place orders. Eligibility will be determined through database tables populated from state licensing data, among other information. So, I have a 'few' questions.

1. I'm assuming I will need to create my own php script (or find one to use) to do the authentication part. Is this be as simple as creating a login form for the user to enter the information required to verify eligibility, and then doing the authentication against my database? 
2. Once they're authenticated, could I use something like .htaccess to handle/save the ID and passsword? I haven't read a lot about this yet, so I'm not sure exactly how to use it, but guess I'll figure it out. (I found a site that looks promising - http://www.javascriptkit.com/howto/htaccess.shtml - hope it is!) 
3. Once a user has logged in, they should be able to go to any page on the site until they log out. Do the 'public' and 'login-required' pages need to be kept in separate directories on my host site in order to do this? Does the .htaccess process keep the user logged in to all of the pages as long as the website is still open or would I need to do something else?
4. Can I create a 'time-out' feature so that if the site is left open too long without any activity it will log out? I've seen where you can set a session timeout in .htaccess, but wasn't sure it this is only after inactivity, or if it's from the time the user logged in. Can anyone clarify this?
5. I will want some type of automatic login expiration, requiring the user to re-authenticate every so often (ie, after 6 months or a year). I'm assuming this could be done just by including an expiration date in the 'password' database based on their last authentication date, and then rejecting any login on or after that date (obviously providing a popup requiring them to go thru the authentication process again). Is this simplifying it too much, or would I be okay with this?

I know I asked a lot of questions (sorry if it was too many for one post) but any advice anyone can give me would be greatly appreciated! Thanks much as usual!!!

MJ


----------



## Sequal7 (Apr 15, 2001)

tmjhayward said:


> 1. I'm assuming I will need to create my own php script (or find one to use) to do the authentication part.


This is possible, but not necessarry if you are on a linux server the .htaccess file can handle that with a htpasswd file and a protected directory....


tmjhayward said:


> Is this be as simple as creating a login form for the user to enter the information required to verify eligibility, and then doing the authentication against my database?


Again, yes, very easy to protect pages using a php session.


tmjhayward said:


> 2. Once they're authenticated, could I use something like .htaccess to handle/save the ID and password? I haven't read a lot about this yet, so I'm not sure exactly how to use it, but guess I'll figure it out. (I found a site that looks promising - http://www.javascriptkit.com/howto/htaccess.shtml - hope it is!)


.htaccess along with .htpasswd store client information that you set and allow you define who sees in your directory (all pages and content within it are protected)


tmjhayward said:


> 3. Once a user has logged in, they should be able to go to any page on the site until they log out.


Yes, they can browse all areas of your site.


tmjhayward said:


> Do the 'public' and 'login-required' pages need to be kept in separate directories on my host site in order to do this?


Yes, it protects directories and files within them 


tmjhayward said:


> Does the .htaccess process keep the user logged in to all of the pages as long as the website is still open or would I need to do something else?


Again, yes...


tmjhayward said:


> 4. Can I create a 'time-out' feature so that if the site is left open too long without any activity it will log out? I've seen where you can set a session timeout in .htaccess, but wasn't sure it this is only after inactivity, or if it's from the time the user logged in. Can anyone clarify this?


Your server will handle this, usually set for 15 minutes but it depends on your webhost, they vary but all timeout. This being said, you can expire them yourself in the .htacccess file using mod_expires


tmjhayward said:


> 5. I will want some type of automatic login expiration, requiring the user to re-authenticate every so often (ie, after 6 months or a year). I'm assuming this could be done just by including an expiration date in the 'password' database based on their last authentication date, and then rejecting any login on or after that date (obviously providing a popup requiring them to go thru the authentication process again). Is this simplifying it too much, or would I be okay with this?


As above, not necessary but yes you can define if your server does not.


tmjhayward said:


> I know I asked a lot of questions (sorry if it was too many for one post) but any advice anyone can give me would be greatly appreciated!


Yes, you sure had a list there, hope I helped


tmjhayward said:


> Thanks much as usual!!!
> 
> MJ


NP 

Cheers


----------



## tmjhayward (Jul 17, 2005)

Thanks, Sequal7, for all of the info. On ques #1 - Doesn't .htaccess just verify the id and password once it's created? I guess I'm really looking at doing 2 processes here. A register process and a login process. Say that my users need to be licensed in a certain area (therefore have a license #), as well as have additional credentials (which would be some type of ID#) both of which I would have to verify against a databse (either my own or against available databases for those particular professions). This would be the registering process. Only if the registration was successful would I then allow them to create a login ID and password. Can .htaccess handle the registration part? Or do I have to do that myself first (ie, php script), and then have htaccess handle the creation/storing/validation etc of the login ID and password the user creates? As I mentioned, I haven't looked at htaccess very closely yet, so if I will find all of this out once I do, just tell me.
One more question - for the pages requiring login - is this as simple as having some standard code on each of these pages that checks to see if the user has successfully logged in (again, if this will be explained when I actually read up on htaccess, just tell me!) and just allow them to go there without any additional verification? And just providing a popup for those unauthorized, preventing their access?

Thanks again - all of this is greatly appreciated!
MJ


----------



## Sequal7 (Apr 15, 2001)

No, the .htaccess denies access to the folder if it is set to

```
AuthType Basic
AuthName "restricted area"
AuthUserFile /var/www/html/.htpasswd
require valid-user
```
, and references the .htpasswd file for access permissions.

In php (all other scripts as well) you add code to the header of the page,

```
<?php
session_start();
if(!isset($_SESSION["username"]))
{
   header('Location: login.php');
   exit;
}
?>
```
 that checks the sessional value, and if set allows the page to be viewed, if not set, it redirects to a login page.

.htaccess denies viewing of folders, not files. If you want to protect files in different areas (like in your root folder for example) then you should use php (or some other scripting language) to create, store and modify users. This method, you add the session data to the pages (regardless of where they are in your site) and if they are not logged in it iwll bounce them to a page (error, login, ooops etc) that you specify.

Try a sample of a very simple php login on my site.

Try to access this page:
You will get an error and be redirected to the login page.

Then try to login using user1 and pass1, you will enter the success page. That is done with php. Now, allowing users to sign up will require soem more code that has a form, authorization and storage methods. Still pretty easy to set up, but requires more programming to make it work and perhaps a database (most secure) or a flat text file (less secure)


----------



## tmjhayward (Jul 17, 2005)

Thanks again for the info. I'll be working on it this weekend!
MJ


----------

