Re: Re: Secure pages

You can do it with a .htaccess file, but why? You've got a very powerful
scripting language to work with...

I do it through a normal html form. Here's how I do it:

1) My login form and logic is all contained within an include file. That way,
I can include it within any page I feel should be password protected and it
automatically does everything.

2) The form action is left blank so that it will simply reload the same page
and take them to the page (and QUERY_STRING [GET] variables) they originally
intended.

3) The form contains a hidden input tag that is the controling variable.

4) I have an if statement within the login.inc.php file that checks to see if
the control variable is set... if it is, I check the login information against
my authentication scheme (usually a database).

5) If the login info is correct, then set cookies indicating that it's good
and let the page load rather than displaying the login box again. If the
login is invalid, display unset your control variable and let the login screen
load again. Of course, you should also display some type of message indicating
that the login failed.

6) Next time they hit the page where the login.inc.php file is included, it
checks the cookies to see if they have already logged in... if so... let them
by without displaying the login screen.

7) Summary of logic:
a) Check to see if "logged in" cookie exists... if so, let them through
b) If cookie doesn't exist, check if control variable (passed from HTML form)
isset
c) If control variable set, check against database, otherwise display login
screen
d) If database check of login info is valid, let them through, otherwise
display login screen

This method is very reusable... because there is no action in the form tag and
all login is within the include file, all you do is include it within any
access controled file and it works seemlessly.

-Dan

: if you are using apache web server you can try the .htaccess method. I am
: not too familar with it. I am trying to learn it myself, but from what i
: gather, you put a file called .htaccess in the dir where your web page is.
: the .htaccess file contains a path to the a file where all the user names
: and passwords are stored. whenever this dir is accessed, a window pops up
: asking for a user id and password.
:
: If anyone has more info on this, please pass it on. I am looking into
: using this as well. What i am looking to do is create a web based ftp
: application. Where users log into a web screen and can ftp files to the
: server into a certain directory own by them. I am storing the file paths
: and descriptions in a postgresql db and using php for the ftp process. Can
: I use .htaccess with this? Can I have someone log into the web page using
: .htaccess and passing their user id and password into a cookie or variable
: so i will know who they are and they don't have to re-type this when they
: ftp the file.
:
: Any help would be great.
: Thanks,
: Tim.
:
:
:
:
: Paul Joseph McGee <mcgee(at)student(dot)cs(dot)ucc(dot)ie>@postgresql.org on 03/13/2001
: 12:20:57 PM
:
: Sent by: pgsql-php-owner(at)postgresql(dot)org
:
:
: To: pgsql-php(at)postgresql(dot)org
: cc:
:
: Subject: Secure pages
:
:
: Hi everybody,
: i have a user login authentication sysytem on my machine here where users
: may view pages but to do other things the user must login. the login
: scripts seem to work ok and are based on a "Secure Authentication System"
: from www.phpbuilder.com. Basically the page where i want people to arrive
: at upon logging in is at present viewable by anyone who puts the proper
: url into their browser. how do i keep this and other pages secure from
: people who havent logged in?
: Thanks,
: Paul
:
: ---------------------------(end of broadcast)---------------------------
: TIP 2: you can get off all lists at once with the unregister command
: (send "unregister YourEmailAddressHere" to majordomo(at)postgresql(dot)org)
:
:
:
:
:
: **********************************************************************
: This email and any files transmitted with it are confidential and
: intended solely for the use of the individual or entity to whom they
: are addressed. If you have received this email in error please notify
: the system manager.
:
: This footnote also confirms that this email message has been swept by
: MIMEsweeper for the presence of computer viruses.
:
: www.mimesweeper.com
: **********************************************************************
:
: ---------------------------(end of broadcast)---------------------------
: TIP 1: subscribe and unsubscribe commands go to majordomo(at)postgresql(dot)org