Easy-to-follow video tutorials help you learn software, creative, and business skills.Become a member
In this chapter, we will learn to restrict access to a portion of our application, so that only admins who log in with a valid user name and password can have access to those pages. We call this process, User Authentication. User authentication, and the related topics of encryption and security are not exactly beginner topics, there's a lot to learn there. The password protected areas have become so common that you're almost guaranteed to need one in every site you build, even if you're a beginner. And it's important to add your user authentication correctly, because mistakes in this area can be especially costly. We'll start by getting an overview of the process.
And to do that I want to begin with an analogy that I think will help you to understand it. Imagine that you are going to be purchasing tickets to a concert or an event. You go and you pick up the tickets. You wait in line, they let you in. They even stamp your hand at that point, letting you know that you have been allowed into the concert. You have either a wrist band or hand stamp or something like that. At that point, you can actually come and go into the event. You can move around the different rooms. And all the time, they'll know that you've given your ticket and you're allowed to be there, because you either have this hand stamp or the wristband.
Well, it works the same way here with our pages. The Admin is going to create a user in the database. That's like purchasing tickets for a concert. At that point we have the ability to attend, even though we haven't attended yet. Then when the user comes to the site, they log in via a login form, that's like waiting in line to pick up your tickets. When the application authenticates the user. That is, takes that username and password and sees, are they valid, that's like presenting your identification, getting your tickets and then getting a hand stamp so that you can then enter. And you can then go where you want inside the event. When the user requests additional password protected pages, well, that's like showing your handstamp.
You can avoid the line, you can simply just re-enter, because we know that you have that stamp or wristband, we know that you're allowed to be there. And last of all, when a user logs out, that's like washing away the handstamp. It essentially says at that point, you're no longer allowed to be in the event, you need a new ticket to get back in. You need to start the process over again. So, I think that analogy can be helpful to hold the concept in your head. But, let's talk about it from a more technical point of view. The Admin is going to create a user in the database. The password that they select for that user is going to be encrypted before the user is in stored. So we're not going to store the text of the password as plain text, we're going to need to encrypt it first.
Then when the user logs in via the form, the application is going to authenticate them. It's going to do that by searching for the user name in the database and if that user's found, it can encrypt the password they sent in the login form and compare it with the encrypted version that's sorted in the database. And if they encrypt the same, and we get the same results, we'll know we'll have a match. If the password matches, it's going to set a variable in the session to the user ID. That's like getting the hand stamp. And then it's going to redirect to a post log in page. Then, when user requests additional password protected pages, that cookie and session data are going to be available with each request. Remember, HTTP doesn't have a state of its own. Cookies and session data are how we recognize a user from page to page. So we'll check that session data, and we'll look for the user ID. Remember, that's just like the hand stamp, so we're looking to see if that hand stamp is there.
And if it is there, we'll know that they're allowed to see the requested page. If it's not there, we'll redirect them to the login form and say sorry, you need to log in; you're not authenticated. And then of course, last of all, when the user logs out, well then, we'll just set the user ID that's stored in the session variable to NULL. It's essentially like erasing their handstamp. At that point, they're no longer authorized to see these password protected pages. So, now that we have an overview of the process, we're ready to actually start coding. And the first thing we need to do is create CRUD for our admins, so that those admin users can create other admin users, and assign usernames and passwords to them.
Once we have that CRUD in place, then we'll be able to start talking about encryption and about checking to see whether a user is logged in on each one of the pages.
Get unlimited access to all courses for just $25/month.Become a member
61 Video lessons · 104416 Viewers
56 Video lessons · 116337 Viewers
71 Video lessons · 85574 Viewers
131 Video lessons · 40964 Viewers
Access exercise files from a button right under the course name.
Search within course videos and transcripts, and jump right to the results.
Remove icons showing you already watched videos if you want to start over.
Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.
Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.