Okay well lets look at the security side of it first.
1. We need to have a separate directory so as to keep all the secured files separate.
2. We need to have a form for the user to enter their password and user names.
3. We need to check if they are correct.
4. If correct provide a second input field requiring a 36 digit alpha-numeric number for added security.
5. Once the user name, password and 36 digit number have been verified to the correct user redirect to the secured page.
6. On every secured page check to make sure they have been verified to who they say they are, if they haven't load the first login form requesting a password and username.
We could go more in depth but if all you want is for clients to view pieces of work that should be suffice. The 36 digit number may be overkill, but TBH it would make a hacker think there is more than their is, and if they manage to crack it, very unlikely, they would have just wasted their time. I hate hackers, scum. May of been hacked once, not like I was down for 3 days or anything as a result.
.
Right ~
1. Create a directory call it what ever you want, admin, secure-area what ever really, I'll call it admin.
2. In that directory create a PHP file called login.php, a file called client-area.php, another directory called inc, and in the inc directory another PHP file called pass.php, a file called backup.php, a file called check.php and another file called backupcheck.php. Those 4 files all need to go in the inc directory.
So your file structure should look like this ~
Root folder
~admin folder
~~~login.php
~~~client-area.php
~~~inc folder
~~~~~check.php
~~~~~pass.php
~~~~~backup.php
~~~~~backupcheck.php
I promise this looks more complicated than it is, and I've separated it so if you want to add more users, or take users away you only have to open up small files and edit small sections. I'll explain it all so don't worry.
In the files place this ~
Login.php
In here we want to test to see if the form has been submitted, if it has load a separate file to test the username and password. If it hasn't load the login form.
<?php session_start();
if(isset($_POST['user']) || isset($_POST['animal'])){
include("inc/pass.php");
}else{
?>
<form action="login.php" method="post">
<p>
<label for="user">User Name: </label><br />
<input type="text" name="user" id="user" />
</p>
<p>
<label for="pass">Password: </label><br />
<input type="text" name="pass" id="pass" />
</p>
<p>
<button type="submit">Log in</button>
</p>
</form>
<?php }?>
inc/pass.php
This file tests to see if the username and password entered in the form match one that you have set up. To add more, just copy the elseif statement, add the user name and password in the highlighted example and your good to go.
Example of adding a new user:
elseif($_POST['user']=="NEW_USER_NAME_GOES_IN_HERE" && $_POST['pass']=="NEW_PASSWORD_GOES_IN_HERE"){
include("backup.php");
}
-----------------------------------------------
<?php
if($_POST['user']=="jaz" && $_POST['pass']=="jaz_is_a_nice_guy"){
include("backup.php");
}
elseif($_POST['user']=="jack" && $_POST['pass']=="apple"){
include("backup.php");
}
elseif($_POST['user']=="[email protected]" && $_POST['pass']=="supermonkey"){
include("backup.php");
}
elseif(...){
include("backup.php");
}
?>
inc/backup.php
This is the secondary form. This file start by loading backupcheck.php, if it is the first time this file has been accessed then it will load the secondary form asking for a 36 alpha_numeric number, so letters, numbers and some special characters.
<?php include("backupcheck.php")?>
<form action="login.php" method="post">
<p>
<label for="second">Please enter the secondary password: </label><br />
<input type="text" name="animal" id="second" />
<input type="hidden" name="user" value="<?php echo $_POST['user']?>" />
</p>
<p>
<button type="submit">Log in</button>
</p>
</form>
<?php }?>
inc/backupcheck.php
This file tests to see if the second login form has been submitted and if it has if the 36 alpha_numeric code matches to the username you set. It doesn't have to be 36 characters that's just what i set it to. you have total control.If it does it sets a PHP session so we can track them, and redirects them to their own area.
When you set up a new user you will also have to set them up a new 36 character password in this file as well.
To do that just copy and paste the elseif statement and change the variables, but add it before the last else statement so.
Example of adding a new user:
<?php
if($_POST['user']=="EXACT_SAME_USER_NAME_YOU_ADDED_IN_PASS.PHP" && $_POST['animal']=="CHANGE_THIS_TO_WHAT_EVER_36_CHARACTERS_YOU_WANT"){
$_SESSION['monkey']="this monkey's actually a dolphin"?>
<meta http-equiv="refresh" content="0;url=http://yoursite.com/admin/client-area4.php"/>
<?php
}
else{?>
Also you will need to have created a new client area for them first and numbered it. So if they are your 4th client and you created their area as client-area4.php you will have to change the address in the meta refresh so it loads thier right area up.
-----------------------------------------------
<?php
if($_POST['user']=="jaz" && $_POST['animal']=="13456423123457686532As_gFxZ4\Aw1Qp_"){
$_SESSION['monkey']="this monkey's actually a dolphin"?>
<meta http-equiv="refresh" content="0;url=http://yoursite.com/admin/client-area1.php"/>
<?php
}
elseif($_POST['user']=="jack" && $_POST['animal']=="13456423123457686532As_H4324\Aw1Qp_"){
$_SESSION['monkey']="this monkey's actually a dolphin"?>
<meta http-equiv="refresh" content="0;url=http://yoursite.com/admin/client-area2.php"/>
<?php
}
elseif($_POST['user']=="[email protected]" && $_POST['animal']=="13456426789457686532As_gFxZ4\Aw1Qp_"){
$_SESSION['monkey']="this monkey's actually a dolphin"?>
<meta http-equiv="refresh" content="0;url=http://yoursite.com/admin/client-area3.php"/>
<?php
}
else{?>
Right now client area1, client area2, and client area3 are all separate pages containing work for your clients.
Now the only way someone can access client-area1.php is if their name is jaz, the password they entered is jaz_is_a_nice_guy and they enter the correct 36 character back up password for his user name.
Now again the only way someone can access client-area2.php is if their user name is jack, their password is apple and they enter his separate 36 digit number, and so on and so on.
Each client-area1.php is a page you create tailored just for them. So for example it could just say ~
Client-area2.php
You know the client is Jack and you therefore know what work to show him.
<?php include("inc/check.php")?>
<html>
<head></head>
<body>
<h1>Hello Jack</h1>
<p>
Your project is currently 80% complete.
</p>
<p>
Below are the images of your current project.
</p>
<ul>
<li><img src="yoursite.com/admin/img/john1.png" alt="" /></li>
<li><img src="yoursite.com/admin/img/john2.png" alt="" /></li>
<li><img src="yoursite.com/admin/img/john2.png" alt="" /></li>
</ul>
<p>
Any comments or suggestions please feel free to <a href="yoursite.com/admin/contact.html">contact me</a>.
</p>
<p>
All the best SamC.
</p>
Now the only thing left to do is to check to make sure they are logged in, if they are not log them out.
Note that check.php has to be called before any html output otherwise the header to redirect them will spit out an error and not work.
inc/check.php
This file checks to see if they are logged in if not sends them to the log in form to log in.
<?php
session_start();
if(!isset($_SESSION['monkey']) || $_SESSION['monkey']!=="this monkey's actually a dolphin"){
header('Location: http://yoursite.com/admin/login.php/');
}?>
