A Member System in PHP with some extras

[kees]

This article describes a login/member system using PHP. Some characteristics are:
- No database needed;
- Each member can be redirected to a specified page;
- Members can be assigned to hierarchical levels;
- Editable guiding messages.
At least two pages are needed: the login page and a protected page. Usually there will be more protected pages, depending on your website structure.

I - The login page
The page name should be: login (using the Site Manager)
The file extension should be: php (using the Page Properties dialog)

First we make a login form.
1. Draw a Form Area and change the Form Properties to:
- Action: empty (remove all text)
- Method: POST
- Encoding type: empty (remove all text)
2. Put an Editbox onto the Form Area. Bring up its Editbox Properties dialog and change it to:
- Name: username
3. Put another Editbox into the Form Area. Bring up its Editbox Properties dialog and change it to:
- Name: password
- Password Field: Yes
4. Put a Push Button onto the Form Area. Bring up the Button Properties dialog and change it to:
- Button type: Submit

Second we create a Text object for the messages, preferably just above the form.
5. Draw a Text Object and insert:

Code: Select all

'.$message[$status].'

6. Bring up the Text Object HTML dialog.
- Select Before Tag and insert:

Code: Select all

<?php echo '

- Select After Tag and insert:

Code: Select all

'; ?>

Third we insert the main php script.
7. Bring up the Page HTML dialog, select Start of Page and insert:

Code: Select all

<?php
$member['John'] = array('pw'=>'1234' , 'level'=>2 , 'pp'=>'./red_page.php');
$member['Tim']  = array('pw'=>'pw33' , 'level'=>2 , 'pp'=>'./blue_page.php');
$member['Lisa'] = array('pw'=>'OhNo' , 'level'=>1 , 'pp'=>'./green_page.php');
$message[0] = 'Please log in.';
$message[1] = 'Bad login. Please try again.';
$message[2] = 'You have been logged out.';

# No edits beyond this line
session_start();
$status = 0;
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
  $username = isset($_POST['username']) ? $_POST['username'] : '';
  $password = isset($_POST['password']) ? $_POST['password'] : '';
  if (isset($member[$username]) && $member[$username]['pw'] == $password) {
    $_SESSION['logged_in'] = true;
    $_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
    $_SESSION['level'] = $member[$username]['level'];
    header('Location: ' . $member[$username]['pp']);
    exit;
  }
  $status = 1;
}
elseif (isset($_SESSION['logged_in'])) {
  unset($_SESSION['logged_in']);
  unset($_SESSION['ip']);
  unset($_SESSION['level']);
  $status = 2;
}
?>

Notes:
- Please study the first lines of the script and discover its structure.
- Each member has one line of data. If you create more member lines, be sure that each member has a unique name (case sensitive!).
- After 'pw'=> the members password comes.
- After 'level'=> the members level comes.
- After 'pp'=> the members protected page comes.
- What is the use of the 'level' option? Imagine you have two pages: staff and management. Then give all staff members level 1, and give all management members level 2. This way staff members can only visit their pages. But management members can visit both pages, because they have a higher level.
- If you don't want to use levels, set the level to 1.
- The lines holding $message[x] can be edited.

II - A protected page
Now we create one protected page. Before a page is sent, some checkes are done to be sure that the visitor is allowed to see the page.
- The page names must correspond with the protected pages (as defined in the main script).
- The file extension should be: php

1. Bring up the Page HTML dialog, select Start of Page and insert:

Code: Select all

<?php
$required_level = 1;

# No edits beyond this line
session_start();
if (!isset($_SESSION['logged_in'],$_SESSION['ip'],$_SESSION['level'])
  || $_SESSION['ip'] != $_SERVER['REMOTE_ADDR']
  || $_SESSION['level'] < $required_level ) {
  header('Refresh: 5; url=./login.php');
  echo '<b>You are not allowed for this page.</b><br>';
  echo '<a href="javascript:history.back()">Go Back</a> or <a href="./login.php">Login</a>';
  exit;
}
?>

2. If you want to add a logout option, just redirect your visitors to the login page. You can use a menu, a hyperlink, an image, etc.

Notes:
- For each page that you want to protect, these steps should be followed.
- The variable $required_level holds the required level for this page.
- The sentences can be edited or translated, but take care of the right syntaxis!

Download the example here

Updated
14-04-08 Simplified code for protected page (step II-1).
23-05-08 Added example download.

[star57]

Kees
I tried out using the steps and they work wonderful Thanks for the post.

Question? I am building a "Coupon Discount " page for Distributors. Each Distributor will have a special discount price list page for a range of sales, the more sales the better discount. I have 5 pages of discounts. So here is the question, can this be modified to only have one login for a coupon code. I tried no password then no username, no luck.

Thanks

Update
Found a work around, Use "password" for every password. set the initial value to password. Make the font color the same as the back ground. Use a custom boarder and select the value to 0, Set the edit box to tranparency. then move the submit button over the password field to hide it even more. and your done, works perfect.

[kees]

The member system in this topic was based on http://www.wysiwygwebbuilder.com/password_protect.html

Several times on this forum there was this question: how can I redirect each member to his own page?
That's what my script does.

I know that there are very many login sytems available around the internet. Each has its pros and cons. Maybe my script is useful for someone.

[kees]

There are a lot of possibilities if you want to password protect (parts of) your site. If your are confident about your method, please be happy

If you want to try one of the other ways, just try it and decide what's the best for you.

[madjamonline]

No, they can't see the data, becuase it's PHP all ascript will be exected on the server, it will not be sent to the browser.

I agree, however nothing is safe in this world anymore... there will always be a way.

I always make sure that my pwds in php are MD5'd.
To MD5 a password in php, do this function:

Code: Select all

<?php
// MD5 example:
// echo md5('mypwd'); will md5 the password "mypwd"

echo md5('mypwd');

// It will output: 318BCB4BE908D0DA6448A0DB76908D78
?>

I hope this helps:D

[kees]

...nothing is safe in this world anymore... there will always be a way.

I always make sure that my pwds in php are MD5'd.

madjamonline,

I agree that hashing passwords (md5, sha1) is more secure. I didn't use this technics in order to keep it clear for WebBuilder users.

Of course I and you will understand that NASA will not use my script

[bjlolmaugh]

Hi Kees,

When setting up the 2 different pages (login.php) and the password protected page (.php), do I have to name the login page "login.php", or can I give it a different name, like "video1login.php"?

Then next question, based on this first question, if I gave it a different name, then I would obvious need to make some alterations to the PHP code to change all reference to "video1login.php". Yet your PHP script says to not make any edits after a certain point. I would need to change the script, wouldn't I ?

P.S. I plan on having more then 1 password protected page on a particular website.

[kees]

You can name the login page as you like.

Note that 'login.php' also exists (twice) in the protected page script. So if you name your login page 'video1login.php', this name should also entered in the protected page script.

[Nanno]

So far I know, You can only protect a pdf file with a .htaccess security in the root of the folder.

Greetings,


Nanno

[Nanno]

If you put a php security script in the start of the page, then is every link on that page secure to find. Also for search engines.
But a file like pdf on the server will be find with Google. There is no link for needed.

It's up to you.

Maybe you have search the internet for a better solution.

Greetings,

Nanno

[me.prosenjeet]

If a member of level 2 logs in, how does he or she gets access to pages of Level 1? I mean, after loggin in he will be redirected to his level 2 page only. Do we put links to the Level 1 pages on his page so he may have direct access to them?

[kees]

Wait!

There is a way. You can add a 'target' attibute to the login form.

How?
1. Bring up the Form's Object HTML dialog.
2. Select 'Inside Tag' and insert:

Code: Select all

target="InlineFrame1"

[kevinp]

Once the password has been stored in the text file as a general string of characters for security can it be converted back to the original password, say for instance if the user forgot the password and submited a reminder request. Hope this makes sense.

[Navaldesign]

Once the password has been stored in the text file as a general string of characters for security can it be converted back to the original password, say for instance if the user forgot the password and submited a reminder request. Hope this makes sense.

Password encryption is made for security reasons, so if someone, in some way, hacks your database (or database file) the password he finds is NOT the one that will allow him to enter a user's area.

With this said, since the most common encryption algorithms use the sha1 or the md5 algorithms, there is no (practical) way to convert the encrypted passwords back to the non encrypted format.

For this reason, usually, in authentication scripts, there is a automatic RESET PASSWORD feature: the user requests his password, and the script automatically creates a new one. It stores it in the same or some different table (in it's encrypted form) and sends the user an email to his registered email address, with the new password. If the user clicks on the verification link, the script automatically replaces the old password with the new one (always ENCRYPTED). The user can then login in his personal area to change the automatically generated password with one he likes.

[kevinp]

Of course, that would make sense. Thanks for the insight.

[cmsintent]

This is weird... I have used the password script program with success for a few sites.

Works well except for the last site - I constructed the site and all was well. I then added 5 new pages to the site and found that those pages are not protected.

EG:

I have a paged called noticesandminutes.php (can't access unless you have passwords)

I have another page called zskylights.php linked from the Notices and Minutes page (the skylight can be accessed without passwords)

It appears it is the 5 new pages that I added recently that are not protected.

All the pages, new and old are in the same folder.... any thoughts?

Thanks.

[kees]

PHP can not protect folders, just single pages.

For all pages that need 'protection' you should follow step II-1 (A protected page).

[madjamonline]

...nothing is safe in this world anymore... there will always be a way.

I always make sure that my pwds in php are MD5'd.

madjamonline,

I agree that hashing passwords (md5, sha1) is more secure. I didn't use this technics in order to keep it clear for WebBuilder users.

Of course I and you will understand that NASA will not use my script

Sorry for the late post! Yeah I agree. I made a suggestion that the password protect in Wb6 should have MySql database support because with all of my members areas, there is soooo much code! I decided I am going to make a professional extension suite for members areas for WB6 so I will be sharing that with you all when it is done. It will have support for remember me functions, admin areas, extra user fields, profile info for user, database support (mysql) and more! Of course it is going to take a while...

[Navaldesign]

Not sure what you mean...

If you want a specific landing page (password protected) to be available to all members (both simple members - 1 - and Admins - 2 - ) set the required level to 1 and place the code in the start of page. That's all.

The same goes for ALL pages where all members should have access.

If, instead, you only want the Admins to be able to see the page set the required level to 2.

Or maybe I misunderstood ??

[madjamonline]

Oops you believe right!
I observed the php and worked out that it is the higher the more status!

[Navaldesign]

Please note that unless you need sorting and exporting features that go beyond a free script limits, the file system that is used (as well as that that is embedded in WB6) are quite enough. On a randomly created 20.000 members archive file, i have a 0.5 secs delay compared to a MySQL DB driven script. Of course, a file based script is not intended for such volumes....

[madjamonline]

I use a mysql database too

[Navaldesign]

There is no doubt that a DB driven script is far better. However, it is also true that the simlicity of a file driven extension is FAR better, as the user have nothing else to do than publish their pages!

[madjamonline]

ahh okay!!!
I better get it done then lol!

[madjamonline]

This members system is good.
My mysql extension is going well but it is taking a bit longer than estimated!

[madjamonline]

I have thought of an easier idea. Insted of having to enter the field names etc into each object, there will be a DB connection object that you insert on each page as well.

[kees]

The 'Member System' and the 'News Writer' have no relationship, they work independent.

[kees]

At the end of the tutorial there is a download link for a working example. Does that help you?

[bry]

Very interesting. I read through the whole thing but not having a particular problem and never having done a password protection, it was more of academic interest than anything.

However, I have a design upcoming very soon where password protection is required.

General questions...

Will the "members" have to re-enter their passwords to access multiple pages?? I gather I shouldn't use cookies so is there an alternative?

In this situation, I don't know of any reason for individual passwords. It is really more a matter of keeping non-members out of certain pages.

I was thinking in terms of a portal page with member pages being hidden, but maybe that is all wrong. I haven't gotten to the point of design yet so I really haven't given this any serious study yet but since this topic is so right on, I thought I would ask.

thanks!!!

[Navaldesign]

Will the "members" have to re-enter their passwords to access multiple pages?? I gather I shouldn't use cookies so is there an alternative?

No, the script uses sessions so it keeps the members logged in until they log out.

[bry]

Thanks Navaldesign!!!!

[bry]

Is there some way to keep any track of member check-ins without doing a data base?? I will be designing a site that will have about 1400 members. There is only one level of membership. There will be a unique member ID and password for each member.

I was trying to think of someway that I could pull stats without a database. For instance, if each login took each member to their own page, then stats from my host server tells me how many hits there were on each page and that info might be useful. However, that puts an extra page in the process for each member (and of course in the website).

Any ideas?? It isn't worth the cost of a data base so it probably isn't worth doing unless someone has a great idea.

Thanks!!!

[Navaldesign]

Most hosting companies nowdays offer a "Protected Directories" feature through the hosting account control panel. If yours does also, password protect the folder from there. It would be logical to place the relevant pages in the same protected directory.

[adex1]

...nothing is safe in this world anymore... there will always be a way.

I always make sure that my pwds in php are MD5'd.

madjamonline,

I agree that hashing passwords (md5, sha1) is more secure. I didn't use this technics in order to keep it clear for WebBuilder users.

Of course I and you will understand that NASA will not use my script

Sorry for the late post! Yeah I agree. I made a suggestion that the password protect in Wb6 should have MySql database support because with all of my members areas, there is soooo much code! I decided I am going to make a professional extension suite for members areas for WB6 so I will be sharing that with you all when it is done. It will have support for remember me functions, admin areas, extra user fields, profile info for user, database support (mysql) and more! Of course it is going to take a while...

Are you still planning to make the extension or have you make it already?

[Navaldesign]

madjamonline no longer is active on this forum (at least from what I know) however,most of these features have been added in the standard WWB login tools.

[adex1]

madjamonline no longer is active on this forum (at least from what I know) however,most of these features have been added in the standard WWB login tools.

Alright thanks. But l will like redirect login username to different page using database (mysql or flatfile or other db). Any idea on how l should do this using above guide?

[Navaldesign]

Set a default Destination page in the "login" tool. All users will be sent to this page.
Then, in this page, add the "Redirect user" tool to define the page where each user will be redirected.

The user will not even know or see that there is a "redirect". He will only see the page he is supposed to see.

OR (better solution):

Use (with MySQL) the DBTS Login tools that allow the administrator to set a specific page (after login) for each user.

Related thread: viewtopic.php?t=29083