Is there an easy way to do this? (Adding a Client Login)
Moderator: General Moderators
Is there an easy way to do this? (Adding a Client Login)
What I would like to do is add a client login to my webpage.
I just want it so it logs in, and then redirects to a specific folder only visible by that client (and me). It doesn't need to be complicated, but I want it so that only the client and myself have access to it. Because it would consist of a preview of a webpage, I figured it would be easier to 'lock' and entire folder.
Example:
Client Logs in. The username and password is checked. If valid, it's checks "what" client it is and redirects to that client's folder.
for example: clients.mydomain.com/clientA
This folder should only be visible by me and that client, so that someone can't 'find out' the address and access it without seeing an "Oops! You need to log in first!".
I have no idea if any of this is making sense, or if it is going to be too complicated for what it's worth (I only have enough clients to count on my hands right now).
I have also read about using .htaccess to do a similar thing, but I'm not sure how that would be done or if it would achieve the desired effect. (I don't want to have to find out the IP and use the order, deny to allow only their IP and mine. Then how do I access it elsewhere.)
This is merely an idea, and is by no means a necessary feature, but if I could do it easily, or better yet, find some open source script to help, I'm all ears!
Any input is appreciated. Thanks.
I just want it so it logs in, and then redirects to a specific folder only visible by that client (and me). It doesn't need to be complicated, but I want it so that only the client and myself have access to it. Because it would consist of a preview of a webpage, I figured it would be easier to 'lock' and entire folder.
Example:
Client Logs in. The username and password is checked. If valid, it's checks "what" client it is and redirects to that client's folder.
for example: clients.mydomain.com/clientA
This folder should only be visible by me and that client, so that someone can't 'find out' the address and access it without seeing an "Oops! You need to log in first!".
I have no idea if any of this is making sense, or if it is going to be too complicated for what it's worth (I only have enough clients to count on my hands right now).
I have also read about using .htaccess to do a similar thing, but I'm not sure how that would be done or if it would achieve the desired effect. (I don't want to have to find out the IP and use the order, deny to allow only their IP and mine. Then how do I access it elsewhere.)
This is merely an idea, and is by no means a necessary feature, but if I could do it easily, or better yet, find some open source script to help, I'm all ears!
Any input is appreciated. Thanks.
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Re: Is there an easy way to do this? (Adding a Client Login)
This is easier than you think. How many clients are you dealing with? Will the client list change frequently? Do you have a database backend?
Re: Is there an easy way to do this? (Adding a Client Login)
Well I am a starting business, so I am only dealing with less than five right now. I have access to MySQL and PHP (on my web server).
Also, I have just installed "Login and Redirect v1.3" and it seems to work fine except there are a LOT of files. I would also like to be able to customize the look of it. Most importantly, I am able to set up which page each user would redirect to, but if I go to that address in my browser, it opens like normal, instead of the "Oops" thing as I talked about above.
Would it be easier to start from scratch (obviously needing a lot of guidance) or should I modify this script? In this script there are codes for registration and others that I don't need but I am afraid to delete anything or customize anything that may break the code.
Thanks for any help.
Also, I have just installed "Login and Redirect v1.3" and it seems to work fine except there are a LOT of files. I would also like to be able to customize the look of it. Most importantly, I am able to set up which page each user would redirect to, but if I go to that address in my browser, it opens like normal, instead of the "Oops" thing as I talked about above.
Would it be easier to start from scratch (obviously needing a lot of guidance) or should I modify this script? In this script there are codes for registration and others that I don't need but I am afraid to delete anything or customize anything that may break the code.
Thanks for any help.
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Re: Is there an easy way to do this? (Adding a Client Login)
Once a user is logged in, what are they allowed to see and how do you determine that?
Re: Is there an easy way to do this? (Adding a Client Login)
You mean using this script?
The user is redirected to any (specified) URL. So I have it set up so they go to a [static HTML] page listing options such as:
Welcome, ClientA
Client Profile
This would be in a file like clients.mydomain.com/clientA/index.html
and a website preview would link to clients.mydomain.com/clientA/web/index.html.
Later, I may make it so that every client is redirected to the same page, but using PHP, the content changes for each client. Right now it is simpler to start with static pages.
I have this working so far, except I have yet to find a way to check to make sure a client is logged in and that it is the 'right' client for the page. If you were to put clients.mydomain.com/clientA/index.html in your address bar, you would be able to access the same above page, even though you are not a registered user. Likewise, clientA can view clientB's profile and documents. Obviously, this is not what I want.
Thanks for the help.
The user is redirected to any (specified) URL. So I have it set up so they go to a [static HTML] page listing options such as:
Welcome, ClientA
Client Profile
- Update Account Info
- Change Account Password
- Email Webmaster
- View Website Preview
This would be in a file like clients.mydomain.com/clientA/index.html
and a website preview would link to clients.mydomain.com/clientA/web/index.html.
Later, I may make it so that every client is redirected to the same page, but using PHP, the content changes for each client. Right now it is simpler to start with static pages.
I have this working so far, except I have yet to find a way to check to make sure a client is logged in and that it is the 'right' client for the page. If you were to put clients.mydomain.com/clientA/index.html in your address bar, you would be able to access the same above page, even though you are not a registered user. Likewise, clientA can view clientB's profile and documents. Obviously, this is not what I want.
Thanks for the help.
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Re: Is there an easy way to do this? (Adding a Client Login)
So lets say we have three client: Joe, Billy and Bob. When each logs in, they would be taken to joe.yoursite.com, billy.yoursite.com and bob.yoursite.com without having access to any other subdoman available correct? And I assume you have a setup somewhere that handle control of subdomains so you do not have to literally create a subdomain for each client but handle it up each request right?
So knowing a clients name, when they pass the name and credential, if the credential matches what is in the clients table of the database, you can, if the credential passes, gather more information about that client from that select query that checks the credentials and use that to build the subdomain and any home page redirect they are taken to. Using sessions sets these values so that they are restricted to those areas only (of course you write all of the necessary security checks for this so that it is not broken out of) and maintain state of the user through session management.
So knowing a clients name, when they pass the name and credential, if the credential matches what is in the clients table of the database, you can, if the credential passes, gather more information about that client from that select query that checks the credentials and use that to build the subdomain and any home page redirect they are taken to. Using sessions sets these values so that they are restricted to those areas only (of course you write all of the necessary security checks for this so that it is not broken out of) and maintain state of the user through session management.
Re: Is there an easy way to do this? (Adding a Client Login)
Well the way I have it set up now is rather than bob.mydomain.com, I have clients.mydomain.com/bob.
Would it still work like this? I wouldn't know how to set it up like you said without having to make a subdomain myself for every client. Which, with my small amount of clients right now, isn't a problem, but also these accounts will not be permanent. It is just for while I am working for them, so they can check product status etc.
Sorry, but you also lost me with that last paragraph. As I said, it may not be worth it right now.
Again, let me say that I have it set up very nicely now except for the viewing issue. I have an Admin Panel that allows me to view and control all of my clients, including add, delete, email, etc. I just don't have a way of making each page only viewable by the appropriate client. I was thinking it could be done using a cookie, but again I'm not too sure.
Let me know what you think.
Would it still work like this? I wouldn't know how to set it up like you said without having to make a subdomain myself for every client. Which, with my small amount of clients right now, isn't a problem, but also these accounts will not be permanent. It is just for while I am working for them, so they can check product status etc.
Sorry, but you also lost me with that last paragraph. As I said, it may not be worth it right now.
Again, let me say that I have it set up very nicely now except for the viewing issue. I have an Admin Panel that allows me to view and control all of my clients, including add, delete, email, etc. I just don't have a way of making each page only viewable by the appropriate client. I was thinking it could be done using a cookie, but again I'm not too sure.
Let me know what you think.
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Re: Is there an easy way to do this? (Adding a Client Login)
The way you have it set up now will work. I read your posts wrong. Sorry about that.
Basically what I would do is add code that checks the logged in username and compares it to the request uri. If it is anything other than domain.com/username, redirect them to their username, or in the case of usernames not know, redirect them to the login screen.
Basically what I would do is add code that checks the logged in username and compares it to the request uri. If it is anything other than domain.com/username, redirect them to their username, or in the case of usernames not know, redirect them to the login screen.
Re: Is there an easy way to do this? (Adding a Client Login)
Could you possibly help me out with an example code? I'm not quite sure I'm following.
So I would check what URL they are requesting, then check if that is the right client?
Like, they type: clients.mydomain.com/bob
So it checks to see that 'Bob' or 'Admin' is logged in, otherwise, it will redirect to log in page?
What would happen if 'Joe' was logged in? Would it be able to redirect to a page that says something like:
"Sorry, Joe, that page is only viewable by Bob. We will redirect you to your page in 5 seconds" or something, where it the redirects to clients.mydomain.com/joe?
I would most likely have to make that a PHP driven page, or else I would end up with dozens of combos (ie Joe accessing Bob, Jim accessing Joe, Joe accessing Jim, etc.)
I understand the logistics of it, but I have no idea how I would code that...
Any ideas?
So I would check what URL they are requesting, then check if that is the right client?
Like, they type: clients.mydomain.com/bob
So it checks to see that 'Bob' or 'Admin' is logged in, otherwise, it will redirect to log in page?
What would happen if 'Joe' was logged in? Would it be able to redirect to a page that says something like:
"Sorry, Joe, that page is only viewable by Bob. We will redirect you to your page in 5 seconds" or something, where it the redirects to clients.mydomain.com/joe?
I would most likely have to make that a PHP driven page, or else I would end up with dozens of combos (ie Joe accessing Bob, Jim accessing Joe, Joe accessing Jim, etc.)
I understand the logistics of it, but I have no idea how I would code that...
Any ideas?
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Re: Is there an easy way to do this? (Adding a Client Login)
Code: Select all
<?php
if (strpos($_SERVER['REQUEST_URI'], "/{$_SESSION['username']}/") !== 0) {
// the uri is not /username/ so redirect
header($redirect_url); // You decide what redirect_url will be
}
?>Re: Is there an easy way to do this? (Adding a Client Login)
Like Everah suggested I would prefer to do the user restriction in PHP, since then you can keep everything dynamic (control the entire userlist and their accessible pages in one database or php script for example).
However, if the requirement to include the user authentication stuff in *every* page is a pain in the ass (or if you just tend to forget because you're adding new pages all the time), then .htaccess protection may be easier.
To do this, put a file called ".htaccess" in Joe's home dir with this content:
And create a file 'joe.pw' in your webserver's home folder with this content:
Note that those two strings are not actual passwords, just (non-unique) hashes. You can calculate this with this script for example.
That way, you won't have to remember to include the PHP protection stuff if you add new pages, subdirs are also automatically protected, etc.
Each customer gets his own .pw file, and each .pw file also contains the same admin entry so you can login everywhere with your 'uberadmin' account.
Also note that /your/home/folder/ should NOT be a web-accessible dir. In other words, if your website's main page is in /your/home/folder/http_docs/ or something, then /your/home/folder/ won't be accessible by people browsing to your domain. To avoid a mess in your webserver's root dir you can use a subdir like /your/home/folder/secret/, just as long as it's "unsurfable".
However, if the requirement to include the user authentication stuff in *every* page is a pain in the ass (or if you just tend to forget because you're adding new pages all the time), then .htaccess protection may be easier.
To do this, put a file called ".htaccess" in Joe's home dir with this content:
Code: Select all
AuthUserFile "/your/home/folder/joe.pw"
AuthName "Sorry, members only!"
AuthType Basic
<Limit GET>
require valid-user
</Limit>Code: Select all
joe:xRZjwkGAiy5HY
uberadmin:5cjIpCg2oiy6That way, you won't have to remember to include the PHP protection stuff if you add new pages, subdirs are also automatically protected, etc.
Each customer gets his own .pw file, and each .pw file also contains the same admin entry so you can login everywhere with your 'uberadmin' account.
Also note that /your/home/folder/ should NOT be a web-accessible dir. In other words, if your website's main page is in /your/home/folder/http_docs/ or something, then /your/home/folder/ won't be accessible by people browsing to your domain. To avoid a mess in your webserver's root dir you can use a subdir like /your/home/folder/secret/, just as long as it's "unsurfable".
Re: Is there an easy way to do this? (Adding a Client Login)
So I like the .htaccess way, and until I can figure out the EXACT PHP script, I will use it. However, would the following script work? Or do I have to call $user_name first? It is in my table and that is the $_POST variable, so well it automatically determine that?
As long as I make sure the respective folder is the client's username, that should work, right?
I would also need to add a line so that if no one is logged in, it redirects to another page.
Could someone help?
Thanks.
Code: Select all
<?php
if (strpos($_SERVER['REQUEST_URI'], "/{$_SESSION['user_name']}/") !== 0) {
header($redirect_url);('Location:clients.mydomain.com/$user_name');
}
?>I would also need to add a line so that if no one is logged in, it redirects to another page.
Could someone help?
Thanks.
Re: Is there an easy way to do this? (Adding a Client Login)
Sorry Apollo, but I am having trouble with the .htaccess method.
I added the two files in the folder clients.mydomain.com/joe, but whenever I try to access it, it returns a 500 error. The first time, I got the message saying put in your password, but now I don't even get that.
Any ideas?
I added the two files in the folder clients.mydomain.com/joe, but whenever I try to access it, it returns a 500 error. The first time, I got the message saying put in your password, but now I don't even get that.
Any ideas?
Re: Is there an easy way to do this? (Adding a Client Login)
When you just store the .htaccess file (with same contents as I showed above) in clients.yourdomain.com/joe, do you get the password prompt?
As long as the actual joe.pw file is missing, you won't be able to login as it can't verify any passwords, but then at least you know the .htaccess is working.
If you keep getting the error 500, what kind of webserver are you using?
As long as the actual joe.pw file is missing, you won't be able to login as it can't verify any passwords, but then at least you know the .htaccess is working.
If you keep getting the error 500, what kind of webserver are you using?
Re: Is there an easy way to do this? (Adding a Client Login)
So I stored the two files in clients.mydomain.com/joe (.htaccess and joe.pw) I used the site you provided and encrypted the passwords.
On my first attempt, I got the password box, so I put in the admin password (which was part of joe.pw) and was redirected to my Error 500 page.
I tried again, and this time got the 500 error without even going to the password box. It hasn't worked since.
However, I still would much prefer the PHP method, so if you could look at my earlier post and help me with that code, I'd really appreciate it.
Thanks.
On my first attempt, I got the password box, so I put in the admin password (which was part of joe.pw) and was redirected to my Error 500 page.
I tried again, and this time got the 500 error without even going to the password box. It hasn't worked since.
However, I still would much prefer the PHP method, so if you could look at my earlier post and help me with that code, I'd really appreciate it.
Thanks.