creating a login page is pretty easy. create a form with a name and password field and submit it to your verify page. the verify page should compare the hashed password in your database to the one submitted. (you are hashing your passwords, right? with a salt?)
that's the easy part.
the hard part is enforcing your authentication. sessions has been brought up, and is probably the easiest way.
Quote:
|
however nothing would prevent the user from typin the address of the successful redirect into the browser.
|
not true: the verification page sets the proper session variables / cookies, so if a user is not authenticated, the 'success' page (and any other page requiring login) would reject the user.
using htaccess is a pain because you have to make sure your .ht files are in sync with the user database (you may have multiple webservers), it requires passing the password on every single page request (making it impossible to switch to a non-ssl connection after authentication), and it is not designed to handle large volumes of users (seeking through the access files does not scale well).