Help need to create a PHP members area

[graphico]

Hello I am fairly new to Php and want to create a feature on a site which allows paid up members to login to various areas of the site.

I have got past creating login forms and I have set up Wamp... but I’m not sure what else i need to include to make the members area work.



Does anyone have a constructive list of files I need to create?

All help appreciated

[essellar]

All you need (he said, as if it were nothing) is an indication in your database (either in the user record, or in a table you can join to the users table) of whether the user is paid up or not, and to what date. You would use that value to determine whether or not to set a user session variable to "valid" (along with the username and password checking, of course). Every page in your members area should have a "session_valid?" check at the top that redirects the user either to the login page (if the username/password check fails) or to a "not paid" page if the username/passord check passes, but the subscription has expired (allow a few days' grace as a courtesy).

Maintaining the subscription data, on the other hand, depends on the method of payment. Payment processors (like PayPal) usually have an API that either messages your server on payment (either by POST request or by mail -- prefer POST if you get a choice) or that your server can query for account updates. If you are maintaining the list manually, you'll need to either create a form/page/script to maintain the payment table (or, if you're masochistic, you can use phpMyAdmin to work on the table directly). If you are using a payment processor, see their developers site for information about the APIs and requirements.

[ralcala21]

This login form -> admin area is a very asked / discussed topic so don't be afraid of asking these things, my experience with PHP/MySQL is only about 2 years but as the previous user mentioned you need and attribute that can identify users inside your website. This attribute is often called "Role" each role has different "privileges" inside your system, those depend on you, for example visitors, paid user and admins can have access to different areas in your system.

Well to sum up your question. I will list some things you'll need to consider:

1. Add a Role attribute to your Users
2. For security purposes your Users' credentials should be separated from your Users' info in a table called "Credentials" maybe. You can store here username, password and role.
3. Make your users use a strong password. Require a minimum of 8 characters and advice them to use numbers and letters with special characters.
4. If you are not using HTTPS for your login, always use POST method and cypher the password using Javascript. User SHA1 or SHA256 algorithms.
5. Also save passwords cyphered in your database.
6. Decide if your gonna use
   Code:

   $_SESSION

   variables,
   Code:

   $_COOKIE

   variables, DB session management or a combination of the previous to manage your sessions. This depends on how much control you have over your server and how many users you have in your website.

Well there many more things to consider, but I think these can give you a nice clue to start and dig more info on Google. Remember that security is the most important thing on a web application but it has to go hand in hand with performance and usability.

Good luck!

[graphico]

Wow Thanks esseller and rascala21, useful information I think im going to have to have a lie down before I can handle this, do you know of any good tutorials to cover this topic.

Cheers again guys

[essellar]

Actually, security should go against performance; "high-performance" security features make brute-forcing easier. And when payment is involved, keep the info out of the browser (that is, use server-side sessions rather than cookies to hold session data). (And since it is possible to edit your live web page locally and otherwise monkey with cookies, it's better to leave cookies out of the deal altogether except for "unimportant" things like preferences. Session cookies should always be checked against server-side sessions for validity.)

[callumacrae]

http://www.google.co.uk/search?q=PHP+member+area ;)

You could try http://php.about.com/od/finishedphp1...gin_code_6.htm

~Callum

[lemon-tree]

You could try http://php.about.com/od/finishedphp1...gin_code_6.htm

That's probably one you should avoid; sure it's very simple to understand but it also has more security issues than I care to count. For example, it's keeping the actual password value in plain-text in a cookie and is then failing to hash it when in the database.

[callumacrae]

whaaat. That's rubbish. Don't use that one

~Callum

[graphico]

Thanks for all the replies, im using this tut at the moment..http://www.1stoptutorials.com/Create...a-Lesson2.html