got an idea, need some help

morbidchick

Hi all

I need some help with an idea. I am wanting to allow people access to my website by using a pin code.

The problem I am having is that I need the pin code to be timed.

For example I want to allow 1 hours access, then 1 days access, then access for a week and a month but I dont know how to do that in php can anyone help? flutter of eyelids

Thanx

Emma

jpmoriarty

how'd you mean? you want them to enter a code to get to the site, and on their first visit they can stay for one hour, on their next they can stay for one day etc?

if that's the case then you need a database with username and code (so you can design your pages to check they have entered the right code), a field for "number of visits", and a field for "last login time" which will be a UNIX timestamp.

when someone logs in successfully you can add one to the number of visits field, and then at the top of each subsequent page you can check to see if they're allowed to be on it in two stages - first, see if they're logged in, and second see if their time is up (so you'd need an if clause that runs something like:
if "number of visits" = 1 then expire time = login time + (6060)
if "number of visits" = 2 then expire time = login time + (246060)
if "number of visits" = 3 then expire time = login time + (7246060) etc etc
then you can check that the expire time is greater than the current time, and if it is then you display the page.

Does that help?

BuzzLY

Create a table to store the pin codes. In that table, create the following columns:

id (auto-incremented)
userID
pinCode
pinType (perhaps 1=hourly, 2=daily, etc?)
pinStart (The date and time that the pin began its use.)

When a user enters her pin, do a lookup to this table to check that the pin is valid, and that the pin has not expired (based on the pinType and pinStart columns).

Hope that helps!

morbidchick

BuzzLY is nearly there. Basically I need to be able to set the pins time limit as explained I will want a few option ranging from an hour to days.

When the user logs in an accurate pin, they are passed from that page to one on another server. I need this to be secure and unseeable. But I need it to kick out people after the alotted time (ie 1hour) or if they close the window and come back later for it to know how long they stayed and let them back to the page, then expire the pass and take them else where when time is expired.

Its really confusing for me to get my head around but thanx for wanting to help me.

Emma

BuzzLY

Set a cookie with an expiration time/date based on the amount of time they are alotted. Whenever accessing a secure page, always check for the cookie. If it doesn't exist, then they no longer have access to the page, and you can redirect them to a page to purchase more time (if that is the sort of system you are building).

Your other option, if you don't want to use cookies, is to do the pin lookup each time you load a secure page. If you use this method, I recommend you create a special php page to do the lookup, and include it at the top of each secure page. That way, if you need to make changes in the code, you only have to do it in one place.

The only time you have control is when a page is loading. Once the page is loaded on the user's screen, you have no more control. Therefore, if you want to log them out after a certain amount of time, then use a Meta refresh on the page. Make it refresh every 5 minutes -- that way if a users tries to "sit" on a page past the allotted amount of time, once the page refreshes it will see that their time has expired and redirect them to the purchase screen.

morbidchick

yes it is such a system.

im not sure which is best at all. I dont know how to do cookies.

Ive seen what I want running I logged in with a pin I purchased and it let me in for an hour but it had a top frame with a timer in, is this done with javascript?

morbidchick

could cron be used? I just came across it on here. I could run that on a different frame checking the database evey second and as soon as the time is up then it boots them off.

Sxooter

There's a general rule about things like this. Only pass to and from the user what you HAVE to to get this to work.

For instance, setting a cookie seems great. Til some dickweek punk (like me :-) figures out how to toss the right cookie with wget and grab all the pics from you site in a flicker of an eye, and passes it around in an IRC chat room (unlike me, I'd only do it for myself.... ;⁾ and suddenly you're in the hole $400.00 for bandwidth with 2 $5.00 sales. :-(

Assume the little weenies are looking at how to hack you. Don't do anything that will let them.

OK, back to the issue at hand. Let's say you set a pin. We'll use some randomly generated alpha-numeric from 000000 to zzzzzz for this test. I use Postgresql, you get to translate if necessary.

create table pin_numbers (
  id serial,
  pin char(6),
  start_time timestamp without time zone,
  end_time timestamp without time zone,
  fieldx text
);

$now=date();  <-- you figure out the time.
select id from pin_numbers where start_time <$ 'now ' and end_time > '$now';

if you get back the id, the pin is valid, if not, it isn't. every 24 hours go in and delete obsolete pins.

morbidchick

thanks Sxooter I dont like the idea of cookie ne way.

I dont have and cant use Postgresql.

Sxooter

Originally posted by morbidchick
thanks Sxooter I dont like the idea of cookie ne way.

I dont have and cant use Postgresql.

Do you have any database you can use? If not, then you can just do plain text file with flock(). and write a file with lines something like:

a3cto3 1046736000 1046739600

where the two numbers are time stamps for the beginning and end period. You gotta use flock when writing so your file don't get clobbered.

Are you familiar with fopen/fwrite/fputs/fgets/fread/fclose/flock ?

see http://www.php.net/manual/en/ref.filesystem.php

Sxooter

How much control of this "other server" you mention do you have? If none, then you should look at reverse proxying the server with your apache server, which isn't very hard to do at all, and applying httpd authentication on top of it all on your own server.

Easy as pie.

Then you just make a few scripts to add / remove accounts from your htaccess files as you go along. when their times up the cron job takes them outta the list and they can't log in. Make a custom error page toss them into the "enter cc number here for more hbspgg action pics" screen. :-)

morbidchick

going to use mysql, but how scalable is it?

Sxooter

in a mostly read environment, it's pretty good, when you start writing to it much it can slow to a crawl and become unresponsive.

But it's still better than rolling your own, so to speak.

morbidchick

so in total what would be the best way to develop the full system that I need?

Sxooter

Well, you still haven't answered my question about the second system you'll be sending folks to. Is it yours, external, etc... Can you get it to time out on it's own after a while? Can you set up reverse proxy's in your apache for this?

Generally, what you need is to create a table like the one I mentioned earlier, but with MySQLisms in the place of Postgresqlisms (there was only one or two I can think of.) And do it the way I showed there. The whole system is a fairly decent undertaking. Are you doing it all yourself?

morbidchick

I will be sending people to a range of external websites, through to their members area.

I am going to have to build it myself im a nOOb at php and i cant afford to pay a developer to do it for me.

its a bit upsetting really

Sxooter

Well, no time like the present to learn.

What you really need is to figure out which methods are best for what you're trying to do, and implement them one piece at a time.

If you can admin your own apache box, then reverse proxying the other sites is the best answer, as it lets you run all the authentication on your box, and and the user never knows they are getting content from elsewhere, as it all seems to be coming out of your apache box.

Of course, then you'll be handling bandwidth charges for all the outgoing connections, and that might not be cheap.

morbidchick

The only other way I can think is to add the pin to the external webiste but I dont know which are the most common access methods and I dont know how to place the pin on the website.

The next thing would still be the time issue

your help and others has been a great help thank you all.

leatherback

Hm..
Just thinking, and I am not sure whether this is at all possible...

Use a frameset: Topframe with a meta-refresh, but 0 pixels high (So not visible). Refresh this say every 5 or 10 seconds. This you will use to register time left, say through a session. Once people log off, you register the time left in a DB table with user / pin / time left

In the bottom from you include the page you refer to. (And I mean include. NOT link. So you have your own page in the bottom frame, which has as only content the PhP include command
for the page you want to show.

This is of course also only if people have entered the right password, registered in the session. If I am correct, sessions are not registered on the user system, and cannot be faked (Maybe somebody can confirm this??). So then you have a fairly foolproof system?

Once the time in the top frame has run-rout, you can reload the whole page, and load a "buy-more-time" frame.

Hope this helps?

morbidchick

thanks leatherback that sounds the best way kinda an idea someone I know had.

So would the page in the top frame be php and how do you set up a session to time??