Page 1 of 2
Is there an easy way to do this? (Adding a Client Login)
Posted: Fri Jul 18, 2008 5:17 pm
by antoine
What I would like to do is add a client login to my webpage.
I just want it so it logs in, and then redirects to a specific folder only visible by that client (and me). It doesn't need to be complicated, but I want it so that only the client and myself have access to it. Because it would consist of a preview of a webpage, I figured it would be easier to 'lock' and entire folder.
Example:
Client Logs in. The username and password is checked. If valid, it's checks "what" client it is and redirects to that client's folder.
for example: clients.mydomain.com/clientA
This folder should only be visible by me and that client, so that someone can't 'find out' the address and access it without seeing an "Oops! You need to log in first!".
I have no idea if any of this is making sense, or if it is going to be too complicated for what it's worth (I only have enough clients to count on my hands right now).
I have also read about using .htaccess to do a similar thing, but I'm not sure how that would be done or if it would achieve the desired effect. (I don't want to have to find out the IP and use the order, deny to allow only their IP and mine. Then how do I access it elsewhere.)
This is merely an idea, and is by no means a necessary feature, but if I could do it easily, or better yet, find some open source script to help, I'm all ears!
Any input is appreciated. Thanks.
Re: Is there an easy way to do this? (Adding a Client Login)
Posted: Fri Jul 18, 2008 7:45 pm
by RobertGonzalez
This is easier than you think. How many clients are you dealing with? Will the client list change frequently? Do you have a database backend?
Re: Is there an easy way to do this? (Adding a Client Login)
Posted: Fri Jul 18, 2008 8:18 pm
by antoine
Well I am a starting business, so I am only dealing with less than five right now. I have access to MySQL and PHP (on my web server).
Also, I have just installed "
Login and Redirect v1.3" and it seems to work fine except there are a LOT of files. I would also like to be able to customize the look of it. Most importantly, I am able to set up which page each user would redirect to, but if I go to that address in my browser, it opens like normal, instead of the "Oops" thing as I talked about above.
Would it be easier to start from scratch (obviously needing a lot of guidance) or should I modify this script? In this script there are codes for registration and others that I don't need but I am afraid to delete anything or customize anything that may break the code.
Thanks for any help.
Re: Is there an easy way to do this? (Adding a Client Login)
Posted: Sat Jul 19, 2008 12:05 am
by RobertGonzalez
Once a user is logged in, what are they allowed to see and how do you determine that?
Re: Is there an easy way to do this? (Adding a Client Login)
Posted: Sat Jul 19, 2008 10:25 am
by antoine
You mean using this script?
The user is redirected to any (specified) URL. So I have it set up so they go to a [static HTML] page listing options such as:
Welcome, ClientA
Client Profile
Client Services (This is client specific, and right now it is a different static HTML page until I dynamically change it with PHP)
...etc.
This would be in a file like clients.mydomain.com/clientA/index.html
and a website preview would link to clients.mydomain.com/clientA/web/index.html.
Later, I may make it so that every client is redirected to the same page, but using PHP, the content changes for each client. Right now it is simpler to start with static pages.
I have this working so far, except I have yet to find a way to check to make sure a client is logged in and that it is the 'right' client for the page. If you were to put clients.mydomain.com/clientA/index.html in your address bar, you would be able to access the same above page, even though you are not a registered user. Likewise, clientA can view clientB's profile and documents. Obviously, this is not what I want.
Thanks for the help.
Re: Is there an easy way to do this? (Adding a Client Login)
Posted: Sat Jul 19, 2008 10:32 am
by RobertGonzalez
So lets say we have three client: Joe, Billy and Bob. When each logs in, they would be taken to joe.yoursite.com, billy.yoursite.com and bob.yoursite.com without having access to any other subdoman available correct? And I assume you have a setup somewhere that handle control of subdomains so you do not have to literally create a subdomain for each client but handle it up each request right?
So knowing a clients name, when they pass the name and credential, if the credential matches what is in the clients table of the database, you can, if the credential passes, gather more information about that client from that select query that checks the credentials and use that to build the subdomain and any home page redirect they are taken to. Using sessions sets these values so that they are restricted to those areas only (of course you write all of the necessary security checks for this so that it is not broken out of) and maintain state of the user through session management.
Re: Is there an easy way to do this? (Adding a Client Login)
Posted: Sat Jul 19, 2008 10:54 am
by antoine
Well the way I have it set up now is rather than bob.mydomain.com, I have clients.mydomain.com/bob.
Would it still work like this? I wouldn't know how to set it up like you said without having to make a subdomain myself for every client. Which, with my small amount of clients right now, isn't a problem, but also these accounts will not be permanent. It is just for while I am working for them, so they can check product status etc.
Sorry, but you also lost me with that last paragraph. As I said, it may not be worth it right now.
Again, let me say that I have it set up very nicely now except for the viewing issue. I have an Admin Panel that allows me to view and control all of my clients, including add, delete, email, etc. I just don't have a way of making each page only viewable by the appropriate client. I was thinking it could be done using a cookie, but again I'm not too sure.
Let me know what you think.
Re: Is there an easy way to do this? (Adding a Client Login)
Posted: Sat Jul 19, 2008 11:39 am
by RobertGonzalez
The way you have it set up now will work. I read your posts wrong. Sorry about that.
Basically what I would do is add code that checks the logged in username and compares it to the request uri. If it is anything other than domain.com/username, redirect them to their username, or in the case of usernames not know, redirect them to the login screen.
Re: Is there an easy way to do this? (Adding a Client Login)
Posted: Sat Jul 19, 2008 11:53 am
by antoine
Could you possibly help me out with an example code? I'm not quite sure I'm following.
So I would check what URL they are requesting, then check if that is the right client?
Like, they type: clients.mydomain.com/bob
So it checks to see that 'Bob' or 'Admin' is logged in, otherwise, it will redirect to log in page?
What would happen if 'Joe' was logged in? Would it be able to redirect to a page that says something like:
"Sorry, Joe, that page is only viewable by Bob. We will redirect you to your page in 5 seconds" or something, where it the redirects to clients.mydomain.com/joe?
I would most likely have to make that a PHP driven page, or else I would end up with dozens of combos (ie Joe accessing Bob, Jim accessing Joe, Joe accessing Jim, etc.)
I understand the logistics of it, but I have no idea how I would code that...
Any ideas?
Re: Is there an easy way to do this? (Adding a Client Login)
Posted: Sat Jul 19, 2008 4:16 pm
by RobertGonzalez
Code: Select all
<?php
if (strpos($_SERVER['REQUEST_URI'], "/{$_SESSION['username']}/") !== 0) {
// the uri is not /username/ so redirect
header($redirect_url); // You decide what redirect_url will be
}
?>
Don't tell the user that a section is only accessible by <someusername>. That is a security hole. Just redirect if their name is not right for the area they are. Make it a function and include the file with the function in it on every page.
Re: Is there an easy way to do this? (Adding a Client Login)
Posted: Sat Jul 19, 2008 6:00 pm
by Apollo
Like Everah suggested I would prefer to do the user restriction in PHP, since then you can keep everything dynamic (control the entire userlist and their accessible pages in one database or php script for example).
However, if the requirement to include the user authentication stuff in *every* page is a pain in the ass (or if you just tend to forget because you're adding new pages all the time), then .htaccess protection may be easier.
To do this, put a file called ".htaccess" in Joe's home dir with this content:
Code: Select all
AuthUserFile "/your/home/folder/joe.pw"
AuthName "Sorry, members only!"
AuthType Basic
<Limit GET>
require valid-user
</Limit>
And create a file 'joe.pw' in your webserver's home folder with this content:
Code: Select all
joe:xRZjwkGAiy5HY
uberadmin:5cjIpCg2oiy6
Note that those two strings are
not actual passwords, just (non-unique) hashes. You can calculate this with
this script for example.
That way, you won't have to remember to include the PHP protection stuff if you add new pages, subdirs are also automatically protected, etc.
Each customer gets his own .pw file, and each .pw file also contains the same admin entry so you can login everywhere with your 'uberadmin' account.
Also note that /your/home/folder/ should NOT be a web-accessible dir. In other words, if your website's main page is in /your/home/folder/http_docs/ or something, then /your/home/folder/ won't be accessible by people browsing to your domain. To avoid a mess in your webserver's root dir you can use a subdir like /your/home/folder/secret/, just as long as it's "unsurfable".
Re: Is there an easy way to do this? (Adding a Client Login)
Posted: Sat Jul 19, 2008 6:18 pm
by antoine
So I like the .htaccess way, and until I can figure out the EXACT PHP script, I will use it. However, would the following script work? Or do I have to call $user_name first? It is in my table and that is the $_POST variable, so well it automatically determine that?
Code: Select all
<?php
if (strpos($_SERVER['REQUEST_URI'], "/{$_SESSION['user_name']}/") !== 0) {
header($redirect_url);('Location:clients.mydomain.com/$user_name');
}
?>
As long as I make sure the respective folder is the client's username, that should work, right?
I would also need to add a line so that if no one is logged in, it redirects to another page.
Could someone help?
Thanks.
Re: Is there an easy way to do this? (Adding a Client Login)
Posted: Sat Jul 19, 2008 7:25 pm
by antoine
Sorry Apollo, but I am having trouble with the .htaccess method.
I added the two files in the folder clients.mydomain.com/joe, but whenever I try to access it, it returns a 500 error. The first time, I got the message saying put in your password, but now I don't even get that.
Any ideas?
Re: Is there an easy way to do this? (Adding a Client Login)
Posted: Sun Jul 20, 2008 12:57 pm
by Apollo
When you just store the .htaccess file (with same contents as I showed above) in clients.yourdomain.com/joe, do you get the password prompt?
As long as the actual joe.pw file is missing, you won't be able to login as it can't verify any passwords, but then at least you know the .htaccess is working.
If you keep getting the error 500, what kind of webserver are you using?
Re: Is there an easy way to do this? (Adding a Client Login)
Posted: Sun Jul 20, 2008 7:57 pm
by antoine
So I stored the two files in clients.mydomain.com/joe (.htaccess and joe.pw) I used the site you provided and encrypted the passwords.
On my first attempt, I got the password box, so I put in the admin password (which was part of joe.pw) and was redirected to my Error 500 page.
I tried again, and this time got the 500 error without even going to the password box. It hasn't worked since.
However, I still would much prefer the PHP method, so if you could look at my earlier post and help me with that code, I'd really appreciate it.
Thanks.