-
Develop a login
<form>
to collect user credentials -
Authenticate the user credentials against encrypted passwords stored in the customer table
-
Use the IP address of the login request to deny access to requests from other machines
-
Develop a function that is included on each page to deny access without a successful login
-
Develop a logout function
Case study overview
Each customer of the winestore has an entry in the customer table that records confidential account details, including delivery address and credit-card details. Given such information, there is a good reason to restrict access to the application and protect confidential data.
We design the login page as a <form>
, and the authentication is handled by the script that processes POST
variables. The POST
method is used rather than GET
method to prevent the username and password from appearing in the URL. The authentication uses a query on the customer table to check the credentials; we use the approach described in Section 9.3.
We create a session to record the username that is authenticated and the IP address of the machine from which the login request originated. Each protected script then tests for the existence of the session variables that hold the authenticated name and the originating IP address and checks these against the originating IP address of the request for that script.
While the pages we have developed on the online winestore site are more attractive than the examples in this section, the structure of the code is the same.