Our company has used email and ftp file transfers between itself and it's customers for quite some time. However it is only in the last few days that I have started to create a simple website for it. I have however got stuck with how to create a customer login page.
Traditionally we have put files for individual customers to download in individual .htpaccess protected directories, so that, for example, files for customer1 have been put in /customers/001, and files for customer2 have been put in /customers/002. This has worked well but now we are getting a website I would like to provide a better user interface and have a single common "Customer Area" webpage where our customers can type in their login name and password and then be automatically taken to a protected personal webpage listing the files waiting for them to download. i.e. if they login with the username: firstname1.surname1 they will automatically be taken to website/customers/001/index.html
Does anyone have any suggestions how to achieve this.
Our customer base is quite stable so setting up the individual login data entries in an ascii configuration file by hand would not worry me.
Any suggestions welcome.
sagr.
On Wednesday 11 July 2007 13:35:11 sagr wrote:
Our company has used email and ftp file transfers between itself and it's customers for quite some time. However it is only in the last few days that I have started to create a simple website for it. I have however got stuck with how to create a customer login page.
Does anyone have any suggestions how to achieve this.
Will you be/are you implementing your web site as a dynamic site? i.e. using a server-side templating language like PHP, JSP, ASP or framework like Django or Turbogears to generate the site's content?
If so, then you'll find that most (all?) of these tools provide mechanisms to help you add authentication. They are based around maintaining server-side sessions (or server-side "cookies"). Generally, you present the user with a login page which, when submitted, checks his credentials against a database and, if they are valid, creates a new server-side session.
If not, then I would suggest that your consider it. In order to have any form of valid authentication will require some server-side complicity. You should have a look at the existing templating languages and frameworks and make a decision about which one you like best (they probably all allow server-side sessions so this will not be your key criteria).
Our customer base is quite stable so setting up the individual login data entries in an ascii configuration file by hand would not worry me.
If you do this, I would suggest that you use a database rather than a flat file. Its actually just as easy (or maybe even easier) to access records from a database as from a file and it also means that you can store additional information about your customers useful to your application (e.g., in your case, the name of their private download directory) more easily.
Cheers, Richard
sagr alug1@suffolk-ancestor-genealogy-research.co.uk wrote: [...]
common "Customer Area" webpage where our customers can type in their login name and password and then be automatically taken to a protected personal webpage listing the files waiting for them to download. [...]
+1 to the comment about using a framework, but if you want to do this directly, the CGI variable REMOTE_USER (so $ENV{'REMOTE_USER'} in Perl and $_SERVER['REMOTE_USER'] in PHP IIRC) contains the name that they used to login to your .htaccess protection.
Hope that helps,
On 12/07/07, MJ Ray mjr@phonecoop.coop wrote:
sagr alug1@suffolk-ancestor-genealogy-research.co.uk wrote: [...]
common "Customer Area" webpage where our customers can type in their login name and password and then be automatically taken to a protected personal webpage listing the files waiting for them to download. [...]
+1 to the comment about using a framework, but if you want to do this directly, the CGI variable REMOTE_USER (so $ENV{'REMOTE_USER'} in Perl and $_SERVER['REMOTE_USER'] in PHP IIRC) contains the name that they used to login to your .htaccess protection.
But don't do it. Frameworks help reduce (but not eliminate) security flaws. If you're using Perl, use CGI.pm to interact with the browser. But again, this only helps reduce flaws. I'm sure similar things exist for other languages too; investigate, understand, and use them.
To be honest, if you're Internet facing you need to be /really/ good at what you're doing, and understand 100% the effects and impacts of introducing non-static content - otherwise you risk malicious defacement etc.
I've various intranet facing sites, and although they are not 100% security proof (I'm aware of a couple of area where I don't fully validate input), I am at least aware of this, and am happy with the risk I'm taking in a closed environment. I wouldn't dare take such risks on the internet proper.
Greg
"Greg Thomas" Greg@TheThomasHome.co.uk wrote:
On 12/07/07, MJ Ray mjr@phonecoop.coop wrote:
+1 to the comment about using a framework, but if you want to do this directly, [...]
But don't do it. Frameworks help reduce (but not eliminate) security flaws. If you're using Perl, use CGI.pm to interact with the browser.
CGI.pm is barely a framework (I think things like Mason, Cake, Rails... are better examples) and it's debatable whether the described application would get a net security benefit from using 5% of a framework instead of a Keep It Simple and Stupid approach.
Regards,
On 13/07/07, MJ Ray mjr@phonecoop.coop wrote:
"Greg Thomas" Greg@TheThomasHome.co.uk wrote:
On 12/07/07, MJ Ray mjr@phonecoop.coop wrote:
+1 to the comment about using a framework, but if you want to do this directly, [...]
But don't do it. Frameworks help reduce (but not eliminate) security flaws. If you're using Perl, use CGI.pm to interact with the browser.
CGI.pm is barely a framework (I think things like Mason, Cake, Rails... are better examples)
True, bad phrasing of that bit on my behalf.
and it's debatable whether the described application would get a net security benefit from using 5% of a framework instead of a Keep It Simple and Stupid approach.
The OP discussed using environment variable to access CGI information. If you're at that raw level of programming, any toolkit or framework is going to make life easier for you. And easier means less flaws.
Greg
Thanks to everyone who has offered advice about how I can set up a customer login area on our website. I must admit however that I am feeling rather out of my depth here and feel I may need to hire someone to do this for me. I was wondering if any ALUGers have had any experience of hiring people to create websites? The main problem I see is that I do not want an entire site designed, nor need it's structure changed; I simply want just a small piece of software I can insert into:
www.customerarea.suffolk-ancestor-genealogy-research.co.uk/index.html
which will display "Customer ID" and "Password" login boxes, then process the data entered so that, for, example, if a customer signs in as CustomerID = "firstcustomer" and Password = "firstpassword" they will be taken to:
www.customerarea.suffolk-ancestor-genealogy-research.co.uk/firstcustomer/index.html
whereas if they sign in as CustomerID = "secondcustomer" and Password = "secondpassword" they will be taken to:
www.customerarea.suffolk-ancestor-genealogy-research.co.uk/secondcustomer/index.html
The webspace is PHP enabled. I notice some ALUGers have suggested using databases for storing login info. Well the hosting (which is with 1&1) does include two SQL databases but these are both in use so none are currently available. As I originally mentioned: our customer base is quite stable so editing an ascii login config file by hand would not be a problem.
Does anyone have any suggestions on how I should go about hiring someone to write this login code?
Sagr.
I've not really been following this thread very closely, but could you not add a table to one of your existing databases?
I've got some php login code here, but as I pulled it down off the web, and I'm not that experienced in php, I'm not certain how secure it is.
If you want I can dig it out?
Matt
-----Original Message----- From: main-bounces@lists.alug.org.uk [mailto:main-bounces@lists.alug.org.uk] On Behalf Of sagr Sent: 14 July 2007 09:15 To: main@lists.alug.org.uk Subject: Re: [ALUG] Creating Customer Login facility on a website
Thanks to everyone who has offered advice about how I can set up a customer login area on our website. I must admit however that I am feeling rather out of my depth here and feel I may need to hire someone to do this for me. I was wondering if any ALUGers have had any experience of hiring people to create websites? The main problem I see is that I do not want an entire site designed, nor need it's structure changed; I simply want just a small piece of software I can insert into:
www.customerarea.suffolk-ancestor-genealogy-research.co.uk/index.html
which will display "Customer ID" and "Password" login boxes, then process the data entered so that, for, example, if a customer signs in as CustomerID = "firstcustomer" and Password = "firstpassword" they will be taken to:
www.customerarea.suffolk-ancestor-genealogy-research.co.uk/firstcustomer/ind ex.html
whereas if they sign in as CustomerID = "secondcustomer" and Password = "secondpassword" they will be taken to:
www.customerarea.suffolk-ancestor-genealogy-research.co.uk/secondcustomer/in dex.html
The webspace is PHP enabled. I notice some ALUGers have suggested using databases for storing login info. Well the hosting (which is with 1&1) does include two SQL databases but these are both in use so none are currently available. As I originally mentioned: our customer base is quite stable so editing an ascii login config file by hand would not be a problem.
Does anyone have any suggestions on how I should go about hiring someone to write this login code?
Sagr.
_______________________________________________ main@lists.alug.org.uk http://www.alug.org.uk/ http://lists.alug.org.uk/mailman/listinfo/main Unsubscribe? See message headers or the web site above!
Personally I would install something like Joomla which is free and open source rather than spend hours trying to reinvent the wheel and just use the registered user bit. It will also give you a lot of user management options and if you installed it with the Community Builder plug in, would help build up a nice online Community. You can also install the FCK editor and allow registered users to upload images and files.
It will allow users to register online and give you the option to authorise or not.
I used to hand code sites and spent hours doing it but now I use Joomla all the time and it saves tons of time.
You can use one of your existing databases, it will just prefix the entries with joom_
Tony
----- Original Message ----- From: "sagr" alug1@suffolk-ancestor-genealogy-research.co.uk To: main@lists.alug.org.uk Sent: Saturday, July 14, 2007 9:15 AM Subject: Re: [ALUG] Creating Customer Login facility on a website
Thanks to everyone who has offered advice about how I can set up a customer login area on our website. I must admit however that I am feeling rather out of my depth here and feel I may need to hire someone to do this for me. I was wondering if any ALUGers have had any experience of hiring people to create websites? The main problem I see is that I do not want an entire site designed, nor need it's structure changed; I simply want just a small piece of software I can insert into:
www.customerarea.suffolk-ancestor-genealogy-research.co.uk/index.html
which will display "Customer ID" and "Password" login boxes, then process the data entered so that, for, example, if a customer signs in as CustomerID = "firstcustomer" and Password = "firstpassword" they will be taken to:
www.customerarea.suffolk-ancestor-genealogy-research.co.uk/firstcustomer/index.html
whereas if they sign in as CustomerID = "secondcustomer" and Password = "secondpassword" they will be taken to:
www.customerarea.suffolk-ancestor-genealogy-research.co.uk/secondcustomer/index.html
The webspace is PHP enabled. I notice some ALUGers have suggested using databases for storing login info. Well the hosting (which is with 1&1) does include two SQL databases but these are both in use so none are currently available. As I originally mentioned: our customer base is quite stable so editing an ascii login config file by hand would not be a problem.
Does anyone have any suggestions on how I should go about hiring someone to write this login code?
Sagr.
_______________________________________________ main@lists.alug.org.uk http://www.alug.org.uk/ http://lists.alug.org.uk/mailman/listinfo/main Unsubscribe? See message headers or the web site above!
-
Greg Thomas -
mephi -
MJ Ray -
Richard Lewis -
sagr -
Tony