Posted by Carl Pearson on 01/10/07 15:32

dorayme wrote:
> Could someone kindly recommend either a simple tute on the
> subject or else a simple guide of the steps to be taken to make a
> login page for a website so that a few password issued people can
> view a particular set of pages or section of a website. It is not
> needed to be like Fort Knox, just a simple thing like say a
> commercial site where only wholesale customers are allowed into
> some set of pages giving special information for their eyes only.
>
> I suppose it depends on the type of server as to what is best,
> but assume a Unix with PHP enabled. I have got to the stage of
> being able to use php includes both for Unix commercial servers
> and my own on my Mac (in no small measure due to guidance on this
> ng a while back).
>
> I am easily blinded by science! I know roughly what an .htaccess
> file is and I have access to more than this on my own server, but
> not more on commercial servers that host various sites I have
> made or maintain.
>

There are a plethora of canned scripts out here to do this. Google "php
authorize user".

Below is some code I've been using for a few years. It probably needs
updating.

You'll need a database, to store the user's info (name, password,
allowable group, etc.)

Embed a script in every page for which you may wish to restrict access,
which calls a validation function. This function compares some cookies
that get set when the user has first successfully logged in.

You store the user name in the cookie, not the password. The successful
login routine sets the cookie by testing to see if the password the user
has entered matches the one in your database for that user.

If the user cookie is blank (unsuccessful login), the validation routine
automatically fails.

You might at the same time set another cookie for a 'group' (or some
other kind of identifier so that only certain users can see certain
portions of the site). That would be another field in the database.

If the user var exists, and the group is OK, the page gets loaded.
Otherwise you re-direct to another page telling the user there's a problem.

For pages that can be accessed by multiple groups, your authorize
function could be passed a comma-delimited list of allowable groups for
that page. Using the Explode function you could parse out the groups
that can see that page, and if the group cookie for that logged-in user
is in that list, go ahead and load the page. Otherwise re-direct.

This code could be improved, as the redirect is using javascript
(client-side), which involves another call to the server to load the
redirected page. Since you'll know on the server-side whether or not
the user is authorized, you could just as easily do an include of the
redirected page instead of letting the results get all the way down to
the user and then having javascript ask for the new one...

<?php
require_once("path/to/your/script.php");
AuthorizeUser("ALL");
// or
// AuthorizeUser("Admin, Guest, Accounting, AndSoOn");
// Rest of page...
?>

Here are some auth functions you can try (plus a couple of others on
which they are dependent). Or roll your own...

<?php
// Authorizes user based on group, redirects if necessary.
function AuthorizeUser($OK_Groups)
{
if ($OK_Users == "ALL" && $_SESSION['Group'] != "")
{
return;
}
else
{
// Name of your re-direct page if authorization fails.
$Redirect = "path/to/redirect_page.php";
$QS = $QUERY_STRING;
if (!((isset($_SESSION['User'])) && (isAuthorized("",$OK_Groups,
$_SESSION['User'], $_SESSION['Group']))))
{

$Self = Self();
if (strpos($Redirect, "?"))
{
$QA = "&";
}
else
{
$QA = "?";
}
if (isset($QS) && strlen($QS) > 0)
{
$Self .= "?" . $QS;
$Redirect = $Redirect . $QA . "accesscheck=" . urlencode($Self);
Redirect($Redirect);
}
}
return;
}
}

// Tests to see if selected user is a member of selected group
// Both $Users & $Groups can be either a single entry
// or a comma-delimited string of allowable choices.
// (i.e., $Users = "Bill", $Groups = "Admin"
// or $Users = "Bill, Sally", $Groups = "Admin, Guest"
function isAuthorized($Users, $Groups, $User, $User)
{
return ((in_array($User, Explode(",", $Users))) && (in_array($Group,
Explode(",", $Groups)))
}

// Returns name of currently executing script.
function Self()
{
return $_SERVER['PHP_SELF'];
}

// Redirects user to another page.
function Redirect($Url = "/")
{
echo "<script
language='JavaScript'>document.location.href='".$Url."'</script>";
exit;
}
?>

HTH

[Back to original message]