Hello all, I have a webapp for the iPad and it requires validation to know if the user purchased it. What is happening now is that when the user goes to the webapp, they are asked to login via an htpasswd file. However, they are always asked this and it gets annoying for them. So, I need something that goes like this:

1.) User goes to the login page.
2.) User enters their password.
3.) User is able to view the login page which sets a cookie and has a link to the webapp.
4.) User clicks link, is taken to the webapp.
5.) The webapp page then checks to see if the cookie is present, if so, it loads the content. If it's not, it redirects the user back to the login page.

I have a custom jQuery cookie script that I like to use to set cookies, and I can post it here if anyone will help me with this. It doesn't seem like a very hard task either, it's just PHP is not my preferred writing language. I will someday learn it, but not today. Thank you.

Here's the cookie script:


/**
* Cookie plugin
*
* Copyright (c) 2006 Klaus Hartl (stilbuero.de)
* Dual licensed under the MIT and GPL licenses:
* http://www.opensource.org/licenses/mit-license.php
* http://www.gnu.org/licenses/gpl.html
*
*/

/**
* Create a cookie with the given name and value and other optional parameters.
*
* @example $.cookie('the_cookie', 'the_value');
* @desc Set the value of a cookie.
* @example $.cookie('the_cookie', 'the_value', { expires: 7, path: '/', domain: 'jquery.com', secure: true });
* @desc Create a cookie with all available options.
* @example $.cookie('the_cookie', 'the_value');
* @desc Create a session cookie.
* @example $.cookie('the_cookie', null);
* @desc Delete a cookie by passing null as value. Keep in mind that you have to use the same path and domain
* used when the cookie was set.
*
* @param String name The name of the cookie.
* @param String value The value of the cookie.
* @param Object options An object literal containing key/value pairs to provide optional cookie attributes.
* @option Number|Date expires Either an integer specifying the expiration date from now on in days or a Date object.
* If a negative value is specified (e.g. a date in the past), the cookie will be deleted.
* If set to null or omitted, the cookie will be a session cookie and will not be retained
* when the the browser exits.
* @option String path The value of the path atribute of the cookie (default: path of page that created the cookie).
* @option String domain The value of the domain attribute of the cookie (default: domain of page that created the cookie).
* @option Boolean secure If true, the secure attribute of the cookie will be set and the cookie transmission will
* require a secure protocol (like HTTPS).
* @type undefined
*
* @name $.cookie
* @cat Plugins/Cookie
* @author Klaus Hartl/klaus.hartl@stilbuero.de
*/

/**
* Get the value of a cookie with the given name.
*
* @example $.cookie('the_cookie');
* @desc Get the value of a cookie.
*
* @param String name The name of the cookie.
* @return The value of the cookie.
* @type String
*
* @name $.cookie
* @cat Plugins/Cookie
* @author Klaus Hartl/klaus.hartl@stilbuero.de
*/
jQuery.cookie = function(name, value, options) {
if (typeof value != 'undefined') { // name and value given, set cookie
options = options || {};
if (value === null) {
value = '';
options.expires = -1;
}
var expires = '';
if (options.expires && (typeof options.expires == 'number' || options.expires.toGMTString)) {
var date;
if (typeof options.expires == 'number') {
date = new Date();
date.setTime(date.getTime() + (options.expires * 24 * 60 * 60 * 1000));
} else {
date = options.expires;
}
expires = '; expires=' + date.toUTCString(); // use expires attribute, max-age is not supported by IE
}
// CAUTION: Needed to parenthesize options.path and options.domain
// in the following expressions, otherwise they evaluate to undefined
// in the packed version for some reason...
var path = options.path ? '; path=' + (options.path) : '';
var domain = options.domain ? '; domain=' + (options.domain) : '';
var secure = options.secure ? '; secure' : '';
document.cookie = [name, '=', encodeURIComponent(value), expires, path, domain, secure].join('');
} else { // only name given, get cookie
var cookieValue = null;
if (document.cookie && document.cookie != '') {
var cookies = document.cookie.split(';');
for (var i = 0; i < cookies.length; i++) {
var cookie = jQuery.trim(cookies[i]);
// Does this cookie string begin with the name we want?
if (cookie.substring(0, name.length + 1) == (name + '=')) {
cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
break;
}
}
}
return cookieValue;
}
};

cookies will be a bad way to do this - they're temporary, and unless you're always operating on ssl, they're easy to steal too. If you really need to authenticate the purchase, it should be incorporated directly into the app at download.

The cookie script sets the cookies to expire for as long as
I want, even 10 years if I desire.. So thats not a problem. My site does have ssl but I dont care to much about the cookies getting stolen either, it's not a real issue (I have my reasons, even though its not a great way to do it).

...it should be incorporated directly into the app at download.

Yes, that would be ideal, but since it's a webapp, it doesn't get downloaded.

The cookie script sets the cookies to expire for as long as
I want, even 10 years if I desire.. So thats not a problem. My site does have ssl but I dont care to much about the cookies getting stolen either, it's not a real issue (I have my reasons, even though its not a great way to do it).
You can set it as long as you'd like, but it's still out of your hands once it's set. The users' browser might clear it, or the user might automatically delete cookies (for security reasons) anyway. Of course, that's all up to the user, and so it's not much of your concern.

However, the security issue is: if you're not verifying the cookie via ssl, then it can be stolen in transit. And if that's the case, then it might as well not be verified at all: you're basically subjecting the honest users to extra security while putting dishonest users on the "honor system."

Yes, that would be ideal, but since it's a webapp, it doesn't get downloaded.
Sorry, I overlooked that in your first post.

It sounds like what you need is a basic login/authentication system. I know you said PHP isn't your "preferred" language, but that would be one of the easiest ways to do this. ASP and other server-side languages could do it as well, but I'm not familiar with those.

(javascript will not be a solution. anything that works on the client-side is completely insecure.)

Yes, I do need an authentication system, this was just the way I had a little knowledge of it working. What do you suggest?

I usually write my own depending on the project. If you're just looking for something you can download and use, it would depend on how you want to use it - generally, the easiest way is to use a CMS that has such "members-only pages" features (most do). However, that's probably more than you need (or want).

You can search for "PHP user authentication" scripts and see what you can find. You'd need to know something about php to modify it for your purposes. If you want to try, here's the basics of what you need to have:

1) when you sell the app, generate a username/password/registration key/whatever. Store these values (or, better yet, hash the values and store that) in a database.

2) have a logon form where the user can enter their password/key/whatever.

3) the user's submission would be processed server-side and compared to the values stored in the database. if they match, the page would set a cookie (a session-only/single-use would be best).

4) subsequent pages in the app would check for that cookie being set, and redirect the user to the login page if it was missing.

Otherwise, you may want to look for paid help (http://www.dynamicdrive.com/forums/forumdisplay.php?f=30).

Ok, I did a search and I'm looking into some options. I use PayPal to handle my transactions and when the user buys the app, they are sent an email with the login info (the pass is all the same, I don't know how to generate a custom one). Would you be able to mod the script to generate a username and pass and post it to the database? I'll find a script that I like and post it here along with the IPN script if you will help. Thank you!

Infact, this might be what I need? http://www.scientifantastic.com/paypal/

Edit: Or this? http://www.bluewaterwebdesigns.com/php-scripts/authenticationpal.html

shopping for scripts is difficult, because you need to be able to understand how a script works before deciding if it will do what you need correctly and -most importantly- reliably. I've never used either of the scripts you linked to, so I couldn't say. It does look like the sort of feature set you might want, but I have no idea of how well they work. It's pretty important to know something works when dealing with money.

If you're already using IPN, you should be able to set up your paypal account with passcodes - they have that feature specifically for people who sell digital downloads. It would be a lot better than just giving everyone the same code. You would still need to set up a script on your site that would check/ authenticate the code, however.


About "helping you": I'm going to answer that very carefully....

If you want to try to do this, I'd be happy to look at what you come up with and give any opinions or advice I might have.

If you want me to do it for you, please contact me (http://www.custom-anything.com/contact) and we can discuss costs and exactly what you need done. :)