Setting Up A Streaming Subscription Site, Part 2
Integrating Web site security management with user tracking
You’re going to have to track your users so that you know who has visited the site and what level of privileges to grant them. Assuming that you have used Apache as your SSL server and that you have used mod_ssl we should discuss how all this fits together. This section is equally applicable to Windows as well as Linux operating system users.
By this point, we’re assuming you’ve got a Web server up and running and it has a valid security certificate that can accept transactions. But you need more. You need to be able to limit user access to your site content until they have paid for it. After its been paid for you want to insure that only the user who paid for it can access the content.
We need to implement several levels of security to protect the contents of your site. These protection elements require identifying the customer – after all, you cannot validate their access without knowing who they are.
If you’re selling "soft" goods there are a number of schemes that you can use to protect the content. Protecting the download area of your site is the primary area of concern - so that only an "enabled" user can download it (you don’t want someone to simply give out the password to a protected area of your site and have thousands download your product).
So you will need three components:
Password generation schemeDatabase application to record the user names and passwordsConnection between your Web server (Apache with modules) and the database.Our recommendations for software components would be these:
Password generation: PHP (a free scripting language) and general scriptingDatabase application: MySQL (a free, ODBC-compliant, open-source database)These three applications (PHP, MySQL, and Apache) have been modified by the creators to work gracefully together. Now you can use PHP as a front-end tool to connect to MySQL. MySQL integrates nicely with Apache as well and it has its own built-in password system that allows secure access to the database.
Typically you would include a "validation" script at the top of all your HTML pages (use a server-side include so that it is the first thing loaded in all your pages). A server-side include is code that is executed on your Web server before the Web page is served up to your user. It is a commonly-used technology to include things like page hit counters, clocks, and image rotations. Most books on Web development will have an explanation of how to turn on this functionality in your server and how to use it. This script checks to see whether or not your customer has logged in (a cookie validating their login is written to their machine at login time). If not, they are either redirected to a login page when they want to see a page on your secure server, or you can launch a script window to require a login before they can load the page. Don’t worry about having to write these scripts because there are a ton of them out there written for you.
Get your complete user authentication system for free!
You’re in luck! A pretty complete user authentication system can be obtained at the PHP Builder site. It handles registration, cookie management, confirmation e-mails, and account updates. It depends on your having MySQL installed, so it pretty much does everything we have discussed in this article (on the authentication and user tracking sides). You will still have to integrate it with your e-commerce server but the lion’s share of the work will be done if you use this script library.
Our recommendation would be to use a PHP script on the front end (integrated with your Web site) to issue a password and login to users when their electronic funds transaction has been verified. Use the PHP API (application programmer interface) built into MySQL to pass the password and login into the MySQL database. Now you have access to all your users (and any other information you collected) and you can do fancy things like expire their access, or limit their access to certain areas of your Web site. The script we mentioned (from PHP Builder) will do all of this for you.
Track your users as they move throughout your site
If you are interested in how users are navigating your site (useful in optimizing your site) it is quite possible to use PHP and MySQL to track users and to store this data in the MySQL database (rather than in a log file). Then you can run queries on the database and figure who is going where and for how long.
There is a very nice (though technical) article on integrating PHP and MySQL at www.webreference.com. The author goes into great detail on how to design and implement data structures within your new MySQL database.
A new book out on this subject is called "Web Programming in Python: Techniques for Integrating Linux, Apache and MySQL" at Amazon.com. We haven’t read it but the editorial reviews suggest that it might be extremely helpful to those of you who need step-by-step help in installing and configuring Python, Apache, and MySQL and making them work together. We encourage you to continue looking on the Web though since all of this information is available for free.
Because all these applications are open-source, they are available to you at no cost – other than your time to install and configure. The sole cost you will encounter is obtaining a certificate for your e-commerce server (the Apache server with mod_SSL or Apache SSL) and the time you need to invest.
When you are done installing and configuring your software, your site will allow users access to your precious content only after they have been authenticated. We would recommend that you permit access for only a limited time – say a week. This will allow your users enough time to download the content they need but not so much time that the maintenance of your site will be difficult.
Page 3: Privacy Issues >>