PHP-Based User Authentication

by Scott Allen

There comes a time for every web designer when it’s necessary to password protect a page. It you’ve never done it before, it can be a daunting task. There’s a lot of options…too many in fact. Do you do it in JavaScript, PHP, ASP, ColdFusion, Perl(CGI), .htaccess, etc? I’ve got a few recommendations and a great article to get you started.

First off, I would highly recommend you NOT password protect anything with JavaScript. I’ll give you a little background, just in case you’re not familiar with Server Side vs Client Side scripting issues.

Picture the internet as a window to a house. (More like a one way mirror.) Inside the house is the server side and you can’t see what’s going on in there from the outside of the house. Outside the house, the client side (or browser side), everything is in plain view and it can be seen from outside or inside the house.

Client side scripts such as JavaScript or AJAX get executed on the client side, or outside the house and the code is in full view to anyone who chooses to click “View Source”. Your code is naked, free for anyone to steal or hack. But, there are of lot of times when executing code on the client side is very advantageous, like when you need to update code on the page without reloading it, so it’s not all bad.

Server side scripts such as PHP, ASP, ColdFusion, Perl (CGI), etc have a lot of advantages, including that they are more secure. They can execute and write the code to the page so that by the time it is viewable in the browser (or outside the window), it looks like static html. Search engines like this better, and your casual viewer can’t grab your code and mess with it. Some of the drawbacks are that you can’t update the code of the page without reloading it, like you can with JavaScript or AJAX.

One option is to put your password protection in your .htaccess file. This can usually be done by simply going into web management suite such as cPanel, and configuring “Password Protect Directories”. This way is simple and secure. It works well, but it limits your options. For example, you might want to have people in your office have free access to your intranet, but outside the office require a login. This gets tricky if you use .htaccess.

My preference for programming languages is PHP. (Personally, I feel its a more robust, accessible and efficient language than some of its competition, but there are plenty of credible web programmers who would disagree. Ultimately it boils down to which language best fits your programming style.) This being said, I’d recommend programming your password protection in your PHP code, for pretty good security. (For high-security issues, I would consult an IT security expert.)

Here is a great article to get you started on setting up your PHP-Based User Authentication.