I know it is pretty easy to do with .htaccess but I wanted to use PHP or something like it because the user login popup from htaccess is kind of confusing.

Would I make a MySQL database with 3 columns user_id, user_name, and password?
Or is this a hard way to do it?

Should I just use a ready made script?

I personally use .htaccess coz i'm the only user, so i find it easier. But u can use a php mysql login, there's lots of scripts out there, and if u have a general knowledge of php mysql then its not that hard either.

So your saying that I should do what I said with the 3 columns?

I might try out a pre-made script but I was hoping to be able to do it myself for the experience of it.

I know it is pretty easy to do with .htaccess but I wanted to use PHP or something like it because the user login popup from htaccess is kind of confusing.

However, using HTTP authentication (set up in .htaccess) follows standards. Most importantly, your pages can still be cached, whereas using cookies for auth renders the result uncacheable. Setting up HTTP auth properly is secure, whereas PHP apps are always releasing security patches which inevitably result from going against standards.

You can go either way, just be aware of the tradeoff.

If you are going to use PHP or any other App add a Column called Display_Name. This will provide another level of security that most do not use that should be.

However, using HTTP authentication (set up in .htaccess) follows standards. Most importantly, your pages can still be cached, whereas using cookies for auth renders the result uncacheable. Setting up HTTP auth properly is secure, whereas PHP apps are always releasing security patches which inevitably result from going against standards.

You can go either way, just be aware of the tradeoff.

I really would like to use htaccess because it seems simple enough and quite secure.
But, is there anyway you could replace the popup alert with a login form?
I didn't think there was which is why I was kind of leaning to PHP.


If you are going to use PHP or any other App add a Column called Display_Name. This will provide another level of security that most do not use that should be.
So would this be something like a copy of user_name to keep it secure?

no

So what would the value of Display_Name be?

I was wondering how to make a PHP one as well. I got lost in my research when I started seeing Session stuff... not to mention I have no idea with this MySql stuff. Maybe I'll just have to figure out this HTTP authentication stuff and use that...

But, is there anyway you could replace the popup alert with a login form?

Yes, there is a way, but it's very complex. Just deal with the popup box, I say, because security is more important than appearance.

This Message Board uses a Table to validate registration. Keeping it simple, user_id, user_name, encrypted password

For this Message Board the user_name and display_name is the same.

I recommend a seperate Column entry as a display_name that is not tied to the required Log-In so that the user_name is never displayed. This increases the security of your system tremendously.

Yes, there is a way, but it's very complex. Just deal with the popup box, I say, because security is more important than appearance.
Well in this case security is not really the thing I am going after I just need to know the account name and that they are logged in.
And it will be more involved in databases so that would keep it simpler.
I will give .htaccess a try though.

This Message Board uses a Table to validate registration. Keeping it simple, user_id, user_name, encrypted password

For this Message Board the user_name and display_name is the same.

I recommend a seperate Column entry as a display_name that is not tied to the required Log-In so that the user_name is never displayed. This increases the security of your system tremendously.
I guess I don't really see what that would do if it is never used.
If they knew user_name wouldn't they know display_name?

Sorry about this trouble.

Thanks for all the help you've been giving me guys!

BigBison & Pattons3rd:

I did a quick search for Login Scripts and came across this that i thought you might find of interest:

http://javascript.internet.com/navigation/htaccess-login.html

I haven't used it or tried it yet, but presumably it is the more complex method of embedding the Login/Password fields to a page instaed of a pop-up.

Hmmm, I haven't seen that link before. I was referring to my post (#9) in this thread:

http://www.iwdn.net/showthread.php?t=4071

Great, and pretty easy. We could even write the HTML form out with Javascript and provide a simple link to non-Javascript enabled browsers. But there's a problem, IE doesn't support usernames and passwords in URLs, they were removed due to a security scare (http://support.microsoft.com/kb/834489), and anyway, the HTTP spec doesn't say we're allowed to have URLs with usernames and passwords in them so we can't guarentee that they work anywhere else either.

http://www.peej.co.uk/articles/http-auth-with-html-forms.html

Which is exactly what this code does:

http://javascript.internet.com/navigation/htaccess-login.html

It's "too good to be true" because it won't work, if Javascript is disabled there's a <form> that does nothing and no fallback means of logging in.

We'll probably play around with this as discussed in the article I linked to at some point, but using a slightly different approach to this bit:

This looks for all anchors with the class of httpauth and replaces it with a nice HTML form with the login() function bound to it's onsubmit event.

So now if we set up a HTML page like the following, the login link will be replaced with a login form (if the user has Javascript support) but authenticate the user using HTTP auth:

What we'd do differently, is use a <noscript> tag to surround the link to pick up an easy WCAG accessibility checkpoint. The gist of it is, if Javascript is enabled then make a username/password form. But if Javascript is disabled, in order to get an HTTP authentication popup a link must be followed. Working something out that's both cross-browser and allows logout is the trick.

It seems like the HTTP method would be better for security, but I am not able to get any host that will allow it even though they say they support .htaccess.
I am just trying for a free host right now.
And I am not sure how to use that.
How could you add a user without having to do it manually?

If your host uses CPanel, that's where you manually can add users (and passwords). Here (http://www.technotrade.com/htaccess.html) is a tutorial for accomplishing this via .htacess.

Ok, thanks for that...
I'll keep trying with the hosts. :|

Ok, thanks for that...
I'll keep trying with the hosts. :|

I don't know how tight your budget is, but you can buy hosting from 3, 4 bucks per month. Compared to free hosting you would have a complete ad-free site and also access to a control panel.
Next to that you'd need a domain name (from 6, 7 bucks per year) so you're all set -- for around 5 bucks per month.

Pretty tight right now but I don't have very many expenses and I am going to get paid for a site soon, but I am not sure what I will use this for so I was trying to keep it free - just testing.
If I have to pay for this I might just end up using PHP/MySQL for this, free hosts support this better.
<pennypincher>
So, yeah I am just trying things out in case I will need this ever.
And I have a project I would like to make that would need something like this.

I just don't get why they won't allow it :ko: