Site-wide Login System

At Willmaster and some other sites, we use a site-wide One Login System. The system can protect any directory that contains a customizable .htaccess file.

How the One Login System Works

There is one log-in page. After logging in, a cookie is set.

Directories are protected with entries in the .htaccess file. If the cookie is set, the browser is allowed to access the directory. Otherwise, the browser gets a "not authorized" message.

Why?

For Willmaster.com, we use the One Login System to protect various scripts on the domain. The Possibilities emailing software is an example. Others are syndication, web content updating, server monitoring, and backup software.

Some of those are in separate directories. Some share the same directory. So long as the directory has the customized .htaccess file, we're good.

For better security, either or both the username and the password may contain embedded spaces.

The source code provided in this article is an updated version of what we are using. It was updated for easier customization and to allow more than one username/password set to be specified. (With a separate username for each person allowed access, removing a username later won't affect anybody else's log-in.)

How to Implement "One Login System" Directory Protection

Implementing the system is two steps.

Install the PHP script.
- Copy the PHP script source code for the log-in page. (The source code is further below.)
- Customize the source code.
- Save the source code as domainlogin.php or, recommended, a different *.php file name.
- Upload the file into a directory that will not be protected with this system (otherwise, the log-in page could not be accessed for logging in).
Put four lines of code into the .htaccess file of directories to be protected.

That's it.

The Log-in Page

Here is the source code for the log-in page. See customization notes below.

<?php # This must be the first line of the file.
/* 
   One Login System
   Version 1.2 (updated login features, added secure and httponly cookie attributes, and removed domain name from setcookie)
   February 1, 2026
   Version 1.0, November 7, 2011

   Will Bontrager Software, LLC
   https://www.willmaster.com/
   Copyright 2011 Will Bontrager Software, LLC
*/
//////////////////////////////////////////////////////
//
// Customizations:
//
// Two sections to customize.
//
// The first section:
//
// Specify the cookie name, the cookie value, and how long 
//   the cookie shall last.
// The cookie name and the cookie value need to start with 
//   a letter and can be composed of letters, numbers, and 
//   underscore characters.
// The cookie lifetime represents the number of days the 
//   cookie shall last. It may be a decimal number. Use 
//   the number 0 to set a volatile cookie, one that will 
//   delete itself when the browser closes.
//   Decimal examples:
//     1 hour = 1�24 = 0.04166667
//     � hour = 1�24�2 = 0.02083333
//     4 hours = 1�24�4 = 0.16666667

$CookieName = "CookieName";
$CookieValue = "CookieValue";
$CookieLifetime = 0.16666667;


// The second section to customize:
//
// Below, between the lines that contain the word "SETS", 
//   specify comma-separated usernames and passwords 
//   between quotes, one line for each set.
// Usernames may contain any keyboard characters except commas.
// Passwords may contain any keyboard characters.
// Usernames are case insensitive.
// Passwords are case sensitive.
// Both usernames and passwords may have embedded spaces, 
//   but any spaces at the ends will be ignored.
// Blank lines between lines with "SETS" are ignored.
$SETS = <<<SETS
username,password
Will,a,b,c
fairy tale,oxtail soup
user4,pass4
SETS;
// No further PHP script customizations are necessary.
//////////////////////////////////////////////////////

$Message = array();
if( isset($_POST['un']) and isset($_POST['pw']) )
{
   $UP = array();
   foreach(preg_split('/[\r\n]+/',trim($SETS)) as $pw)
   {
      $ta = explode(',',$pw);
      $tu = strtolower(trim(array_shift($ta)));
      $tp = trim(implode(',',$ta));
      $UP[$tu] = $tp;
   }
   $un = trim(strtolower($_POST['un']));
   $pw = trim($_POST['pw']);
   if( empty($un) ) { $Message[] = "Please specify a username."; }
   elseif( isset($UP[$un]) )
   {
      if( empty($pw) ) { $Message[] = "Please specify a password."; }
      elseif( $UP[$un] == $pw )
      {
         $CookieLifetime = floatval($CookieLifetime);
         $life = $CookieLifetime > 0 ? intval( time() + ( floatval($CookieLifetime) * 24 * 60 * 60 ) ) : 0;
         setcookie($CookieName,$CookieValue,$life,'/','',true,true);
      }
      else { $Message[] = "Incorrect password."; }
   }
   else { $Message[] = "Incorrect username."; }
}
?>
<!doctype html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>One Login System</title>
<style type="text/css">
body { font-family:sans-serif; font-size:100%; }
input { width:100%; font-size:1em; box-sizing:border-box; }
input[type="text"], input[type="password"] { border:1px solid #ccc; padding:3px; border-radius:3px; }
</style>
</head>
<body>
<form method="post" action="<?php echo($_SERVER['PHP_SELF']); ?>">
<div style="max-width:300px; margin:.5in auto;">
<p>
<b>
<?php echo(implode('<br><br>',$Message)); ?>
</b>
</p>
<p>Username:<br><input type="text" name="un"></p>
<p>Password:<br><input type="password" name="pw"></p>
<p><br><input type="submit" value="Log In"></p>
</div>
</form>
</body>
</html>

The above is the source code for an entire PHP web page.

The PHP is to be customized for:

The cookie name, the cookie value, and how long the cookie shall last.
The usernames and passwords that are allowed to log in.

Comments in the source code have instructions. The visual design of the page may be changed to suit. The form field names need to remain as is.

When customization is complete, upload the page into a directory that will not be password protected with this log-in form. If the log-in form was in the password-protected directory, the form could not be accessed to log in.

Make a note of the log-in form's URL. The URL will be needed for the .htaccess file.

The .htaccess File

Here are the four lines to put into the .htaccess file of each directory to be protected. See customization notes below.

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_COOKIE} !\bCookieName=CookieValue\b [NC]
RewriteRule .* http://www.example.com/members/login.php [L]

The above has three customizations.

At line 3: Replace CookieName with the cookie name as specified in the PHP script.
Also at line 3: Replace CookieValue with the cookie value as specified in the PHP script.
At line 4: Replace http://www.example.com/members/login.php with the URL to the log-in form.

Each directory to be protected with One Login System needs those 4 lines in its .htaccess file.

If the directory does not yet have an .htaccess file, create one with those 4 lines. Otherwise, insert the 4 lines into the directory's current .htaccess file.

How to Use It

Now that you have one or more protected directories, put software, web pages, or other files into the directory to keep unauthorized browsers and bots from accessing them.

When One Login System is set up, you may end up using it a lot, like I do.

(This content first appeared in Possibilities newsletter.)

Will Bontrager

We only suggest and recommend what we believe is of value. As remuneration for the time and research involved to provide quality links, we generally use affiliate links when we can. Whenever we link to something not our own, you should assume they are affiliate links or that we benefit in some way.