No-Registration Access
Recently, I woke up in the morning with a wild notion — a way to give people access to restricted areas without a separate registration process.
After thinking about it for a while, I thought I would go ahead and create the system. Perhaps I will use it sometime. Or you might have a use for it.
Quick overview: Someone wants access to a restricted area. They request a one-time-use access URL be sent to their email address. When they tap on the link in the email, they have access to the restricted area.
That's it. No registration required. There is no username or password.
This may be a solution for pleasing people who really don't want to register and have to remember yet another password just to access your content.
They can bypass registration hassles. All they need to do is provide an email address to receive an access link. Oh, and tap the access link when they get it.
You, as the restricted content owner, may optionally record the email address. Perhaps there is an agreement to deliver more content, such as a subscription to a newsletter or notification of special deals.
How It Works
For purposes of this article, we'll assume you have restricted content that is accessible when the browser has a certain cookie. We'll further assume the URL to that content is at https://example.com/restricted/download.php
Here is what the site visitor experiences.
-
The visitor types their email address into a form and submits it.
-
They get an email with a one-time-use link URL. So they tap it.
-
Their browser goes to https://example.com/restricted/download.php
It's rather easy for them.
Here is how it works behind the scenes.
-
When an email address is submitted:
-
A temporary key is generated and an encoded version of the key is stored in a file.
-
A one-time-use link with the key is embedded in an email.
-
The email is sent to the submitted email address.
-
-
When the one-time use link is tapped:
-
The destination software checks to see if an encoded version of the key is in the file.
-
If yes, a cookie is set and the browser is redirected to the restricted content.
-
If no, an "Incorrect or expired link was tapped" message is sent to the browser.
-
It's all taken care of with one PHP script.
The No-Registration Access Script
Here is the source code for the No-Registration Access PHP script. Notes follow.
<?php /* No-Registration Access Version 1.0 January 27, 2020 Will Bontrager Softare LLC */ /* Customizations */ /* Three places to customize. */ // Place 1: // Specify the location for the access codes file. Let // the file name end with ".php" for better security. $LocationOfAccessCodes = "/place/accesscodes.php"; // Place 2: // The URL of the restricted area where browser is redirected // to after successful tap of the one-time-use URL. $RedirectURL = "https://example.com/secret/place.php"; // Place 3: // The cookie name and value that will let the browser // into the restricted area. $CookieName = "MyCookie"; $CookieValue = "MyValue"; // Place 4: // If the email addresses provided to get access are to be // saved, specify the location of the file. Let the file // name end with ".php" for better security. $EmailAddressFile = "/place/emails.php"; // Place 5: // Specify the email From name, From address, and Subject // for the emails sent with the one-time-use link URL. $FromName = "Name"; $FromAddress = "me@example.com"; $Subject = "Your one-time-use link is enclosed"; // Place 6: // Between the lines containing the word BOUNDARY, type the // content of the email to be sent when access is requested. // It is an HTML email, so code accordingly. Use {{URL}} to // indicate where the one-time-use link URL is to be inserted. $EmailContent = <<<BOUNDARY <p> Thank you for your request. </p> <p> Tap the one-time-use link URL below for access to the restricted information. </p> {{URL}} <p> Please tap on the link right away. </p> <p> Sincerely,<br><br> Name O. Proprietor<br> <a href="http://example.com/contact.php">http://example.com/</a> </p> BOUNDARY; /* End of customizations */ $Global = array(); $Global['LocationOfAccessCodes'] = trim($LocationOfAccessCodes); $Global['RedirectURL'] = trim($RedirectURL); $Global['CookieName'] = preg_replace('/\W/','',$CookieName); $Global['CookieValue'] = trim($CookieValue); $Global['EmailAddressFile'] = isset($EmailAddressFile) ? trim($EmailAddressFile) : ''; $Global['FromName'] = str_replace('"',"'",trim($FromName)); $Global['FromAddress'] = trim($FromAddress); $Global['FromAddress'] = trim($FromAddress); $Global['Subject'] = trim($Subject); $Global['EmailContent'] = trim($EmailContent); if( strpos($Global['LocationOfAccessCodes'],'/') === 0 ) { $Global['LocationOfAccessCodes'] = $_SERVER['DOCUMENT_ROOT'].$Global['LocationOfAccessCodes']; } if( $Global['EmailAddressFile'] and strpos($Global['EmailAddressFile'],'/') === 0 ) { $Global['EmailAddressFile'] = $_SERVER['DOCUMENT_ROOT'].$Global['EmailAddressFile']; } if( isset($_POST['email']) ) { CreateCode(); } elseif( preg_match('/^\w{32}$/',urldecode($_SERVER['QUERY_STRING'])) ) { ProcessCode(); } else { echo "Incorrect or expired link was tapped."; } exit; function CreateCode() { global $Global; if( ! file_exists($Global['LocationOfAccessCodes']) ) { file_put_contents($Global['LocationOfAccessCodes'],'<'.'?php exit; ?'.">\r\n"); } if( $Global['EmailAddressFile'] and (!file_exists($Global['EmailAddressFile'])) ) { file_put_contents($Global['EmailAddressFile'],'<'.'?php exit; ?'.">\r\n"); } $emailcode = md5( time() . $_SERVER['HTTP_USER_AGENT'] . $_SERVER['REMOTE_ADDR'] . $_POST['email'] ); file_put_contents( $Global['LocationOfAccessCodes'], md5($emailcode)."\r\n", FILE_APPEND ); if( $Global['EmailAddressFile'] ) { file_put_contents( $Global['EmailAddressFile'], "{$_POST['email']}\r\n", FILE_APPEND ); } $linkURL = ((isset($_SERVER['HTTPS']) and $_SERVER['HTTPS']=='on')?'https://':'http://') . $_SERVER['HTTP_HOST']; $linkURL .= "{$_SERVER['PHP_SELF']}?$emailcode"; $linkURL = "<a href='$linkURL'>$linkURL</a>"; $emailcontent = str_replace('{{URL}}',$linkURL,$Global['EmailContent']); $emailcontent = str_replace("\n","\r\n",str_replace("\r",'',$emailcontent)); mail($_POST['email'],$Global['Subject'],$emailcontent,"From: \"{$Global['FromName']}\" <{$Global['FromAddress']}>\r\nMIME-Version: 1.0\r\nContent-Type: text/html; charset=\"utf-8\""); echo "An email has been sent to {$_POST['email']}"; } function ProcessCode() { global $Global; $looksee = md5(urldecode($_SERVER['QUERY_STRING'])); $matches = array(); file_put_contents($Global['LocationOfAccessCodes'], GrabTheCode($matches,$looksee,file_get_contents($Global['LocationOfAccessCodes'])) ); if( count($matches) ) { setcookie($Global['CookieName'],$Global['CookieValue']); header("Location: {$Global['RedirectURL']}"); } else { echo "Incorrect or expired link was tapped."; } } function GrabTheCode(&$matches,$looksee,$s) { preg_match('!'.$looksee.'\s+!s',$s,$matches); if( count($matches) ) { return str_replace("$looksee\r\n",'',$s); } return $s; } ?>
Notes —
There are 9 variables that have custom values.
-
$LocationOfAccessCodes
— Replace/place/accesscodes.php
with the location where the temporary access codes shall be stored. The directory must be writable so the file can be created and updated. -
$RedirectURL
— Replacehttps://example.com/secret/place.php
with the URL where the restricted content is accessable when a specific cookie is present. -
$CookieName
— ReplaceMyCookie
with the cookie name that will give access to the restricted content. -
$CookieValue
— ReplaceMyValue
with the cookie value that will give access to the restricted content. -
$EmailAddressFile
— Replace/place/emails.php
with either (a) a blank value (use an empty set of quotation marks, like""
) if you do not want to store the form user's email address or (b) the location where the email addresses shall be stored. To store email addresses, the directory must be writable so the file can be created and updated. -
$FromName
— ReplaceName
with the name to publish as the outgoing email's "From" name. -
$FromAddress
— Replaceme@example.com
with the email address to publish as the outgoing email's "From" address. If the person replies to the email, it will be sent to this address. -
$Subject
— ReplaceYour one-time-use link is enclosed
with what you want for the subject line of the outgoing email. -
$EmailContent
— Replace the blue-colored value with the content of the outgoing email.Use the
{{URL}}
placeholder for the link URL they need to tap for accessing your restricted content. (The software replaces the placeholder with a one-time-use link URL that has a temporary code embedded.)The outgoing email is sent as HTML email. Therefore, do whatever HTML markup is necessary for the email content.
Upload the modified PHP script to your server as NoReg.php
or other .php
file name that works for you.
When the PHP script has been uploaded to your server, make a note of its URL. The URL will be used in the form where they provide their email address to get access.
Here is a bare form you may use.
<form method="post" action="https://example.com/NoReg.php">
Email address:<br>
<input type="email" name="email"><br>
<input type="submit" value="Give Me Access">
</form>
Replace the form's https://example.com/NoReg.php
action URL to the URL of the script on your server. Put it on a web page and test the system.
When you test the system, test it all the way through. Use the form to request a one-time-use link URL. When you get the email, tap the link to access the restricted content.
Probably your site visitors will appreciate access to your restricted content without having to do a separate registration and having to remember another password.
(This article first appeared with an issue of the Possibilities newsletter.)
Will Bontrager