Understanding HTACCESS authentication
If you are starting
from scratch and have no idea how password protecting a directory
this first section I'll just give you a quick example of how you
can protect directories on your server.
You will place
a text file named .htaccess in the directory you want to password
protect. This file MUST be named .htaccess and it will control not
only the directory you put the file in, but directories that reside
AuthName "Yoursite.com's Members Area"
ErrorDocument 401 /access_error.html
Use your text
editor to create a .htaccess file, paste the info above in it, and
upload it to a test directory on your server. Then try to access
the directory in your browser - see how you are prompted for a password?
You will not be able to access the directory. Here's an explanation
of the file:
to the file containing usernames and passwords for access.
2. Standard line
3. Name that will be shown in password prompt box
4. Standard lin
5. After 3 unsucessful tries, the visitor will be sent to
this page in your main web directory.
Many directives can go between the <limit> tags to ban
IP addresses, limit users, etc..
You will need
to create .htaccess files for each directory you want to protect.
Usually, your interested in protecting only one directory so you'll
only need one .htaccess file. The AuthUserFile will be set to
the path of the password file you designate in the membership script.
Installation of the script
of the script is fairly straighforward. Just extract the zip file
to your hard drive and you'll find a cgi-bin directory and an html
directory. The cgi-bin directory contains all of the scripts you
need to upload and the html directory contains all the template
signup forms you will use.
Create these directories on your server:
(holds the main scripts)
/cgi-bin/members/backup (holds database files and backup files)
/cgi-bin/members/passwords (holds your password lists)
Upload all of the /cgi-bin files into the /cgi-bin/members directory
CHMOD 755: ALL
from FTP client:
Edit config.cgi in your text editor (you could do this before you
upload the files)
connection variables: (get these from your hosting company)
$mysql_password = "password";
$mysql_database_name = "database_name";
$mysql_host = ""; # not necessary
$mysql_port = ""; # not necessary
By default it is "members", but if you already
have a members table in your database you can change it to something
else. To prevent future conflicts with other scripts you could call
it "yoursite_members" or something similar.
= "members"; # Set this before you run create.cgi
path to the backup directory
This is an important directory that will contain some data
files as well as any text file backups you make of the database.
Make sure you do NOT put a trailing slash on the path.
path to the directory containing membership "cash-in"
It's best to just set this to the backup directory as well.
the directory containing the cgi scripts
This will be the URL to the memers directory that contains
all the .cgi files.
This is the admin page login password. Change this from
"superpass" or everyone will be logging into your admin
$admin_pass = "superpass";
# Admin login password
This is the email address used in outgoing emails. Make
sure there is \ before the @ sign.
You can usually just leave this to /usr/sbin/sendmail as
this is the default sendmail path.
$mail_prog = "/usr/sbin/sendmail";
# path to sendmail
This is a secret word that adds extra fraud protection to
different features of the script. Right now it's only needed by
the sendcode.cgi file to send out a code - but it will be used for
other things in the future.
$secret = "SECRETWORD";
log analyzer settings
You must put in the full server path to the server log of
your site. This is not a required thing, but it's the only way you
will be able to use the script to analyze your server logs for logins.
The base_url should be your main domain name and is used to display
the server log data.
$base_url = "http://www.yoursite.com";
and footer files
You need to create and upload html header and footer files
if you want to customize some of the pages to match your site. Once
uploaded, chmod the files 666 and make sure the full server path
to the files is correct in these variables.
$path_to_footer = "/home/yoursite/html/footer.txt";
Do not change this variable. It's for future use only.
Step 4: Run
the create.cgi script in your browser to create the database tables.
Setting up your first account
Once you have
the script installed, the next thing you need to do is log into
the admin page and go to the edit areas link on the bottom right
of the main page.
Here is where
you will create and edit each membership area. Here is an example
of the settings:
to password file:
This is the full
server path to the file containing the passwords for your membership
area. Most likely you will want to put them all into the /cgi-bin/members/passwords
folder. But you will still have to name each file:
would be a sample entry. This is the same path that you will have
at the top of your .htaccess file in your password protected directory.
to members area:
This is the full
url to the members area main page. New members will be forwarded
to this page once they create or receive their login info.
This is the duration
of their membership in days. Right now the setting goes up to 9999
days which is effectively lifetime access, when the 30 years passes
I'm sure this script will be updated to accomodate it.
Check this box
if you want the template email sent out to new members upon signing
path to initial signup email:
This is the full
server path to the template of the email you want sent to members
on the initial signup. The email should be in the format where the
first line is the SUBJECT and every line after that is the MESSAGE.
You can customize the email with tags: <name> <username>
<password> for all the database fields in the @the_fields
variable. These tags ARE CASE SENSITIVE.
Check this if
you are sending out cash-in codes instead of giving "live"
real-time access to the members area.
to cash-in code page:
If you have the
above set to yes, you'll put the full url to the cash-in code page
(template provided in the html folder)
new members to pending?:
Turned on, this
will mark all new accounts inactive until you approve them at the
checking after signup:
This will use
cookies to only activate an account once for real-time transactions.
This is on top of other fraud prevention mechanism used to prevent
multiple account signups.
These two variables
do not have a function yet.
Creating your members directory
This is fairly
simple. Just create a .htaccess file as outlined in section 1, then,
at the top of the .htaccess file you will need to make the path
to the password file match the "path to password file"
that you set it section 3. That's it!
Connecting the script to your payment processor
the "cash-in" code feature (delayed access, but maximum
security and control)
it takes a little more work and accounts aren't created "on-the-fly",
the cash-in code feature works great to screen payments before giving
out memberships and it's also great if you are accepting multiple
methods of payment.
sure at the admin page you turn on the cash-in code feature for
your membership area.
the /html/cashin_code folder of the zip file you'll find a template
"cash-in" page that you will upload to an html viewable
area of your site and also set the url to this file at the admin
area config (Url to cash-in code page).
just set up all your payment form buttons and when a sale is made,
simple log into the admin page, paste in the buyers email - and
a code will be sent to them instantly. That's it!
can OPTIONALLY use your payment systems to automatically send codes
out to people who make purchases. All you need to do is have your
payment system trigger the sendcode.cgi file. You just need to forward
them to the file like this by either redirecting them, using a text
link, or a form button:
Make sure all
of the capitalized fields are substituted into the url properly.
This is an advanced method as you'd probably have to custom code
your shopping system to do this. Typically this is done by creating
a form button that sends the use to this file, or a text link.
automatic access to paying members
When you want
to give automatic access, basically the buyer will make a purchase,
then be sent to the page where they can create their account. In
order to make this 100% foolproof you'd have to use a payment system
that only shows them this account creation page once. For example,
if they save the url or try to reload it the form should NOT show
back up. Most of the time people are more interested in getting
what they paid for instead of frauding your system so if you can't
do this then don't worry.
sure you have the cash-in code feature turned off for your area
the /html/instant/create_membership.html template as the "membership
creation page". Make sure to open and edit the file to specify
the area name for the membership and have the form point to your
copy of cashin.cgi. For example, if you were using IBILL, you could
use this page as your "webgood" page.
this point, you would just make a test purchase and make sure the
membership creation page shows up and a new member is added properly
after it's filled out and submitted.